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This  work  was  performed  by  United  Airlines  under  the  sponsorship  of  the 
Office  of  Assistant  Secretary  of  Defense  (Manpower,  Reserve  Affairs  and  Logistics) 

Actu.  lal  analysis  Aircraft  maintenance  Cost  effectiveness  Decision  theory 
Evaluation  Failurt  effects  Flight  safety  Logistics  Maintenance  program 
Mechanical  safety  Preventive  maintenance  Product  improvement 
Reliability  Scheduled  maintenance  System  effectiveness 

This  book  explains  basic  concepts,  principles,  definitions,  and  applications  of  a 
logical  discipline  for  development  of  efficient  scheduled  (preventive)  maintenance 
programs  for  complex  equipment,  and  the  on-going  management  of  such  programs. 
Such  programs  are  called  reliability-centered  maintenance  (RCM)  programs  because 
they  are  centered  on  achieving  the  inherent  safety  and  reliability  capabilities  of 


DD 


1473 


Unclassified 

>«!*■,'  A ’ ,f)U  >F  T tl  j r,  PAfil.  .'IDii'ii  I’ntn  hi 


REPRODUCED  BY 

NATIONAL  TECHNICAL 
INFORMATION  SERVICE 

U.S.  DEPAR1MENI  OF  COMMERCE 
SPRINGFIELD.  VA.  22161 


DD 


Unclassified 

MIT-V  ci  ASSIVIC  A riC'M  This  PAGi:  Mam  '• 

AO'/RAC 

equipment  at  a minimum  cost,  A U.S.  Department  of  Defense  objective  in  sponsor- 
ing preparation  of  this  document  was  that  it  serve  as  a guide  for  application  to  a 
wide  range  of  different  types  of  military  equipment. 

There  are  essentially  only  four  types  of  tasks  in  a scheduled  maintenance  program. 
Mechanics  can  be  asked  to: 

Inspect  an  item  to  detect  a potential  failure 
Rework  an  item  before  a maximum  permissible  age  is  exceeded 
Discard  an  item  before  a maximum  permissible  age  is  exceeded 
Inspect  an  item  to  find  failures  that  have  already  occurred  but  wert  not  evident 
to  the  equipment  operating  crew 

A central  problem  addressed  in  this  book  is  how  to  determine  which  types  of  sched- 
uled maintenance  tasks,  if  any,  should  be  applied  to  an  item  and  how  frequently 
assigned  tasks  should  be  accomplished.  The  use  of  a decision  diagram  as  an  aid  in 
this  analysis  is  illustrated.  The  net  result  is  a structured,  systematic  blend  of 
experience,  judgment,  and  operational  data/information  to  identify  and  analyze 
which  type  of  maintenance  task  is  both  applicable  and  effective  for  each  significant 
item  as  it  relates  to  a particular  type  of  equipment.  A concluding  chapter  emphasizes 
the  key  importance  of  having  a mutually  supportive  partnership  between  the  per- 
sonnel responsible  for  equipment  design  and  the  personnel  responsible  for  equip- 
ment maintenance  if  maximum  UCM  results  are  to  be  achieved. 

Appendices  are  included  as  follows: 

Procedures  for  auditing  «he  development  and  implementation  of  an  RCM 
program 

A historical  review  of  equipment  maintenance  evolution 
Techniques  of  performing  actuarial  analyses 
An  annotated  bibliography 
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this  volume  provides  the  first  full  discussion  of  reliability-centered 
maintenance  as  a logical  discipline  for  the  development  of  scheduled- 
mairttenance  programs.  The  objective  of  such  programs  is  to  realize  the 
inherent  reliability  capabilities  of  the  equipment  for  which  they  are 
designed,  and  to  do  so  at  minimum  cost.  Each  scheduled-maintenance 
task  in  an  RCM  program  is  generated  for  an  identifiable  and  explicit 
reason.  The  consequences  of  each  failure  possibility  are  evaluated,  and 
the  failures  are  then  classified  according  to  the  severity  of  their  conse- 
quences. Then  for  all  significant  items  — those  whose  failure  involves 
operating  safety  or  has  major  economic  consequences  — proposed  tasks 
are  evaluated  according  to  specific  criteria  of  applicability  and  effective- 
ness. The  resulting  scheduled-maintenance  program  thus  includes  all 
the  tasks  necessary  to  protect  safety  and  operating  reliability,  and  only 
the  tasks  that  will  accomplish  this  objective. 

Up  to  this  point  the  only  document  describing  thr  use  of  decision 
diagrams  for  developing  maintenance  programs  has  been  MSG-2,  the 
predecessor  of  PCM  analysis.  MSG-2  was  concerned  primarily  with  the 
development  of  prior-to-service  programs  and  did  not  cover  the  use  of 
operating  information  to  modify  the  maintenance  program  after  the 
equipment  enters  service  or  the  role  of  product  improvement  in  equip- 
ment development.  The  chief  focus  was  on  the  identification  of  a set  of 
tasKS  that  would  eliminate  the  cost  of  unnecessary  maintenance  without 
compromising  safety  or  operating  capability.  There  was  no  mention  of 
the  problem  of  establishing  task  intervals,  of  consolidating  the  tasks 
into  work  packages,  or  of  making  decisions  where  the  necessary  infor- 
mation is  unavailable.  The  treatment  of  structure  programs  v/as  sketchy, 
and  zonal  and  other  general  inspection  programs  were  not  discussed 
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The  difficulty  that  many  people  experienced  in  attempting  to  apply 
the  concepts  of  MSG-2  indicated  the  need  for  changes  and  additions 
simply  to  clarify  many  of  the  points.  It  was  also  abundantly  clear,  how- 
ever, that  the  scope  of  the  material  should  be  expanded  to  cover  the  topics 
that  had  not  been  discussed  in  that  document,  This  volume  includes  a 
major  expansion  of  the  discussion  on  the  problem  of  identifying  func- 
tionally and  stmcturally  significant  items.  The  RCM  decision  diagram 
itself  is  quite  different  from  the  one  used  for  MSG-2.  Instead  of  beginning 
with  the  evaluation  of  proposed  maintenance  tasks,  the  decision  logic 
begins  with  the  factor  that  determines  the  maintenance  requirements  of 
each  item  — the  consequences  of  a functional  failure  — and  then  an  evalu- 
ation of  the  failure  modes  that  cause  it.  This  new  diagram  also  recog- 
nizes the  four  basic  maintenance  tasks  that  mechanics  can  perform 
(instead  of  three  maintenance  processes),  thereby  clarifying  the  treat- 
ment of  items  with  hidden  functions.  The  role  of  a hidden-function 
failure  in  a sequence  of  multiple  independent  failures  is  stressed,  and 
it  is  also  shown  that  the  consequences  of  a possible  multiple  failure  are 
explicitly  recognized  in  the  definition  of  the  consequences  of  the  first 
failure. 

Another  important  aspect  of  the  RCM  decision  logic  is  that  it 
includes  a default  strategy  for  making  initial  maintenance  decisions  in 
the  absence  of  full  information.  There  is  a full  discussion  of  the  problem 
of  assigning  task  intervals,  particularly  those  for  first  and  repeat  on- 
condition  inspections.  The  role  of  age  exploration  and  the  use  of  infor- 
mation derived  from  operating  experience,  both  to  modify  the  initial 
maintenance  program  and  to  initiate  product  improvement,  is  discussed 
at  length.  The  content  of  scheduled-maintenance  programs  developed 
by  experienced  practitioners  of  MSG-2  techniques  may  be  quite  similar 
to  the  programs  resulting  from  RCM  analysis,  but  the  RCM  approach  is 
more  rigorous,  and  there  should  be  much  more  confidence  in  its  out- 
come. The  RCM  technique  can  also  be  learned  more  quickly  and  is  more 
readily  applicable  to  complex  equipment  other  than  transport  aircraft. 

Part  One  of  this  volume  presents  a full  explanation  of  the  theory 
and  principles  of  re'iability-centered  maintenance,  including  a discus- 
sion of  me  failure  process,  the  criteria  for  each  of  the  four  basic  tasks, 
the  use  of  the  decision  logic  to  develop  an  initial  program,  and  the 
age-exploration  activities  that  result  in  a continuing  evolution  of  this 
program  after  the  equipment  enters  service.  Part  Two  describes  the 
application  of  these  principles  to  the  analysis  of  typical  items  in  the 
systems,  powerplant,  and  stnicture  division  of  an  airplane;  the  consid- 
erations in  packaging  the  RCM  tasks,  along  with  other  scheduled  tasks, 
for  actual  implementation;  a the  information  systems  necessary  for 
management  of  the  ongoing  maintenance  program.  The  concluding 
chapter  discusses  the  relationship  of  scheduled  maintenance  to  operat- 
ing safety,  the  desigr-maintenance  partnership,  and  the  application  of 


RCM  analysis  both  to  in-service  fleets  and  to  other  types  of  complex 
equipment. 

The  text  is  followed  by  four  appendices.  Appendix  A outlines  the 
principles  of  auditing  a program-development  project  and  discusses 
some  of  the  common  problems  that  arise  during  analysis.  This  material 
provides  an  excellent  check  list  for  the  analyst  as  well  as  the  auditor  and 
should  be  especially  useful  as  a teaching  aid  for  those  conducting  train- 
ing groups  in  RCM  methods.  Appendix  B is  a historical  review  of  the 
changes  in  maintenance  thinking  in  the  airline  industry.  Appendix  C is 
a discussion  of  the  engineering  procedures  and  techniques  used  in 
actuarial  analysis  of  reliability  data.  Appendix  D,  written  by  Dr.  James 

L.  Dolby,  is  a discussion  of  the  literature  in  reliability  theory,  information 
science,  decision  analysis,  and  other  areas  related  to  RCM  analysis  and 
provides  an  annotated  guide  to  this  literature  as  well  as  to  the  specific 
literature  on  reliability-centered  maintenance.  Dr.  Howard  L.  Resnikoff 
has  written  an  accompanying  mathematical  treatment  of  the  subject, 
titled  Mathematical  Aspects  of  Reliability-Centered  Maintenance. 
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Ai.  operator's  maintenance  program  has  four  objectives: 

► To  ensure  realization  of  the  inherent  safety  and  reliability  levels  of 
the  equipment 

► To  restore  safety  and  reliability  to  their  inherent  levels  when  deteri- 
oration has  occurred 

► To  obtain  the  information  necessary  for  design  improvement  of 
those  items  whose  inherent  reliability  proves  inadequate 

► To  accomplish  these  goals  at  a minimum  total  cost,  including  main- 
tenance costs  and  the  costs  of  residual  failures 

Reliability-centered  maintenance  is  based  on  the  following  precepts: 

► A failure  is  an  unsatisfactory  condition.  There  are  two  types  of  fail- 
ures: functional  failures,  usually  reported  by  operating  crews,  and 
potential  failures,  usually  discovered  by  maintenance  crews. 

► The  consequences  of  a functional  failure  determine  the  priority  of 
maintenance  effort.  These  consequences  fall  into  four  categories: 

► Safety  consequences,  involving  possible  loss  of  the  equipment 
and  its  occupants 

► Operational  consequences,  which  involve  an  indirect  economic 
loss  as  well  as  the  direct  cost  of  repair 

► Nonoperational  consequences,  which  involve  only  the  direct 
cost  of  repair 

► Hidden-failure  consequences,  which  involve  exposure  to  a pos- 
sible multiple  failure  as  a result  of  the  undetected  failure  of  a 
hidden  function 


Scheduled  maintenance  is  required  for  any  item  whose  loss  of  func- 
tion or  mode  of  failure  could  have  safety  consequences.  If  preven- 
tive tasks  cannot  reduce  the  risk  of  such  failures  to  an  acceptable 
level,  the  item  must  be  redesigned  to  alter  its  failure  consequences. 

Scheduled  maintenance  is  required  for  any  item  whose  functional 
failure  will  not  be  evident  to  the  operating  crew,  and  therefore 
reported  for  corrective  action. 

In  all  other  cases  the  consequences  of  failure  are  economic,  and 
maintenance  tasks  directed  at  preventing  such  failuies  must  be 
justified  on  economic  grounds. 

All  failure  consequences,  including  economic  consequences,  are 
established  by  the  design  characteristics  of  the  equipment  and  can 
be  altered  only  by  basic  changes  in  the  design: 

► Safety  consequences  can  in  nearly  all  cases  be  reduced  to  eco- 
nomic consequences  by  the  use  of  redundancy. 

► Hidden  functions  can  usually  be  made  evident  by  instrumen- 
tation or  other  design  features. 

► The  feasibility  and  cost  effectiveness  of  scheduled  main- 
tenance depend  on  the  inspectability  of  the  item,  and  the  cost 
of  corrective  maintenance  depends  on  its  failure  modes  and 
inherent  reliability. 

The  inherent  reliability  of  the  equipment  is  the  level  of  reliability 
achieved  with  an  effective  maintenance  program.  This  level  is  estab- 
lished by  the  design  of  each  item  and  the  manufacturing  processes 
that  produced  it.  Scheduled  maintenance  can  ensure  that  the  in- 
herent reliability  of  each  item  is  achieved,  but  no  form  of  mainte- 
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nance  can  yield  a level  of  reliability  beyond  that  inherent  in  the 
design. 

A reliability-centered  maintenance  program  includes  only  those  tasks 
which  satisfy  the  criteria  for  both  applicability  and  effectiveness.  The 
applicability  of  a task  is  determined  by  the  characteristics  of  the  item, 
and  its  effectiveness  is  defined  in  terms  of  the  consequences  the  task  is 
designed  to  prevent. 

► There  are  four  basic  types  of  tasks  that  mechanics  can  perform,  each 
of  which  is  applicable  under  a unique  set  of  conditions.  The  first 
three  tasks  are  directed  at  preventing  functional  failures  of  the 
items  to  which  they  are  assigned  and  the  fourth  is  directed  at  pre- 
venting a multiple  failure  involving  that  item: 

► On-condition  inspections  of  an  item  to  find  and  correct  any 
potential  failures 

► Rework  (overhaul)  of  an  item  at  or  before  some  specified  age 
limit 

► Discard  of  an  item  (or  one  of  its  parts)  at  or  before  some  speci- 
fied life  limit 

► Failure-finding  inspections  of  a hidden-function  item  to  find 
and  correct  functional  failures  that  have  already  occurred  but 
were  not  evident  to  the  operating  crew 

► A simple  item,  one  that  is  subject  to  only  one  or  a very  few  failure 
modes,  frequently  shows  a decrease  in  reliability  with  increasing 
operating  age.  An  age  limit  may  be  useful  in  reducing  the  overall 
failure  rate  of  such  items,  and  safe-life  limits  imposed  on  a single 
part  play  a crucial  role  in  controlling  critical  failures. 

► A complex  item,  one  whose  functional  failure  may  result  from  many 
different  failure  modes,  shows  little  or  no  decrease  in  overall 
reliability  with  increasing  age  unless  there  is  a dominant  failure 
mode.  Age  limits  imposed  on  complex  components  and  systems 
(including  the  equipment  itself)  therefore  have  little  or  no  effect 
on  their  overall  failure  rates. 

The  RCM  decision  diagram  provides  a logical  tool  for  determining  which 
scheduled  tasks  are  either  necessary  or  desirable  to  protect  the  safety 
and  operating  capability  of  the  equipment. 

► The  resulting  set  of  RCM  tasks  is  based  on  the  following  considera- 
tions: 

► The  consequences  of  each  type  of  functional  failure 
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► The  visibility  of  a functional  failure  to  the  operating  crew 
(evidence  that  a failure  has  occurred) 

► The  visibility  of  reduced  resistance  to  failure  (evidence  that 
a failure  is  imminent) 

► The  age-reliability  characteristics  of  each  item 

► The  economic  tradeoff  between  the  cost  of  scheduled  main- 
tenance and  the  benefits  to  be  derived  from  it 

► A multiple  failure,  resulting  from  a sequence  of  independent  fail- 
ures, may  have  consequences  that  would  not  be  caused  by  any  one 
of  the  individual  failures  alone.  These  consequences  are  taken 
into  account  in  the  definition  of  the  failure  consequences  for  the 
first  failure. 

► A default  strategy  governs  decision  making  in  the  absence  of  full 
information  or  agreement.  This  strategy  provides  for  conservative 
initial  decisions,  to  be  revised  on  the  basis  of  information  derived 
from  operating  experience. 

A scheduled-maintenance  program  must  be  dynamic.  Any  prior-to 
service  program  is  based  on  limited  information,  and  the  operating 
organization  must  be  prepared  to  collect  and  respond  to  real  data 
throughout  the  operating  life  of  the  equipment. 

► Management  of  the  ongoing  maintenance  program  requires  an 
organized  information  system  for  surveillance  and  analysis  of  the 
performance  of  each  item  under  actual  operating  conditions.  This 
information  is  needed  for  two  purposes: 

► To  determine  the  refinements  and  modifications  to  be  made  in 
the  initial  maintenance  program  (including  the  adjustment  of 
task  intervals) 

► To  determine  the  needs  for  product  improvement 

► The  information  derived  from  operating  experience  has  the  follow- 
ing hierarchy  of  importance: 

► Failures  that  could  affect  operating  safety 

► Failures  that  have  operational  consequences 

► The  failure  modes  of  units  removed  as  a result  of  failures 

► The  general  condition  of  unfailed  parts  in  units  that  have 
failed 

► The  general  condition  of  serviceable  units  inspected  as 
samples 


At  the  time  an  initial  program  is  developed  information  is  available 
to  determine  the  tasks  necessary  to  protect  safety  and  operating 
capability.  However,  the  information  required  to  determine  opti- 
mum task  intervals  and  the  applicability  of  age  limits  can  be 
obtained  only  from  age  exploration  after  the  equipment  enters 
service, 

With  any  new  equipment  there  is  always  the  possibility  of  un- 
anticipated failure  modes.  The  first  occurrence  of  any  serious 
unanticipated  failure  immediately  sets  in  motion  the  following 
product-improvement  cycle: 

► An  on-condition  task  is  developed  to  prevent  recurrences 
while  the  item  is  being  redesigned. 

► The  operating  fleet  is  modified  to  incorporate  the  redesigned 
part. 

► After  the  modification  has  proved  successful,  the  special  task 
is  eliminated  from  the  maintenance  program. 

Product  improvement,  based  on  identification  of  the  actual  relia- 
bility characteristics  of  each  item  through  age  exploration,  is  part 
of  the  normal  development  cycle  of  all  complex  equipment. 
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CHAPTER  ONE 

reliability-centered  maintenance 


THE  TERM  reliability -centered  maintenance  refers  to  a scheduled-maintenance 
program  designed  to  realize  the  inherent  reliability  capabilities  of  equip- 
ment. For  years  maintenance  was  a craft  learned  through  experience 
and  rarely  examined  analytically.  As  new  performance  requirements 
led  to  increasingly  complex  equipment,  however,  maintenance  costs 
grew  accordingly.  By  the  late  1950s  the  volume  of  these  costs  in  the?  air- 
line industry  had  reached  a level  that  warranted  a new  look  at  the  entire 
concept  of  preventive  maintenance.  By  that  time  studies  of  actual  oper- 
ating data  had  also  begun  to  contradict  certain  basic  assumptions  of 
traditional  maintenance  practice. 

One  of  the  underlying  assumptions  of  maintenance  theory  has 
always  been  that  there  is  a fundamental  cause-and-effect  relationship 
between  scheduled  mam’enance  and  operating  reliability. This  assump- 
tion was  based  on  th  .duitive  belief  that  because  mechanical  parts 
wear  out,  the  reliability  01  any  equipment  is  directly  related  to  operating 
age.  It  therefore  followed  that  the  more  frequently  equipment  was  over- 
hauled, the  better  protected  it  was  against  the  likelihood  of  failure.  The 
only  problem  was  in  determining  what  age  limit  was  necessary  to  assure 
reliable  operation. 

In  the  case  of  aircraft  it  was  also  commonly  assumed  that  all  reli- 
ability problems  were  directly  related  to  operating  safety.  Over  the 
years,  however,  it  was  found  that  many  types  of  failures  comd  not  be 
prevented  no  matter  how  intensive  the  maintenance  activities.  More- 
over, in  a field  subject  to  rapidly  expanding  technology  it  was  becoming 
increasingly  difficult  to  eliminate  uncertainty.  Equipment  designers 
2 INTRODUCTION  were  able  to  cope  with  this  problem,  not  by  preventing  failures,  but  by 
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preventing  such  failures  from  affecting  safety.  In  most  aircraft  all  essen- 
tial functions  are  protected  by  redundancy  features  which  ensure  that, 
in  the  event  of  a failure,  the  necessary  function  will  still  be  available 
from  some  other  source.  Although  fail-safe  and  "failure-tolerant"  de- 
sign practices  have  not  entirely  eliminated  the  relationship  between 
safety  and  reliability,  they  have  dissociated  the  two  issues  sufficiently 
that  their  implications  for  maintenance  have  become  quite  different. 

A major  question  still  remained,  however,  concerning  the  relation- 
ship between  scheduled  maintenance  and  reliability.  Despite  the  time- 
honored  belief  that  reliability  was  directly  related  to  the  intervals 
between  scheduled  overhauls,  searching  studies  based  on  actuarial 
analysis  of  failure  data  suggested  that  the  traditional  hard-time  policies 
were,  apart  from  their  expense,  ineffective  in  controlling  failure  rates. 
This  was  not  because  the  intervals  were  not  short  enough,  and  surely 
not  because  the  teardown  inspections  were  not  sufficiently  thorough. 
Rather,  it  was  because,  contrary  to  expectations,  for  many  items  the 
likelihood  of  failure  did  no*  in  fact  increase  with  increasing  operating 
age.  Consequently  a maintenance  policy  based  exclusively  on  some 
maximum  operating  age  would,  no  matter  what  the  age  limit,  have  little 
or  no  effect  on  the  failure  rate. 

At  the  same  time  the  FAA,  which  is  responsible  for  regulating  air- 
{ line  maintenance  practices,  was,  frustrated  by  experiences  showing  that 

,■  it  was  not  possible  for  airlines  to  control  the  failure  rate  of  certain  types 

of  engines  by  any  feasible  changes  in  scheduled-overhaul  policy.  As  a 
result,  in  1960  a task  force  was  formed,  consisting  of  representatives 
from  both  the  FAA  and  the  airlines,  to  investigate  the  capabilities  of 
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scheduled  maintenance.  The  work  of  this  group  led  to  an  FAA/Industry 
Reliability  Program,  issued  in  November  1961.  The  introduction  to  that 
program  stated:* 

Tiie  development  of  this  program  is  towards  the  control  of  reli- 
ability through  an  analysis  of  the  factors  that  affect  reliability  and 
pro  vide  a system  of  actions  to  improve  low  reliability  levels  when 
they  exist.  ...  In  the  past,  a great  deal  of  emphasis  has  been  placed 
on  the  control  of  overhaul  periods  to  provide  a satisfactory  level  of 
reliability.  After  careful  study,  the  Committee  is  convinced  that 
reliability  and  overhaul  time  control  are  not  necessarily  directly 
associated  topics;  therefore,  these  subjects  are  dealt  with  separately. 
Because  the  propulsion  system  has  been  the  area  of  greatest  con- 
cern in  the  recent  past,  and  due  to  powerplant  data  being  more 
•eadily  available  for  study,  programs  are  being  developed  for  the 
s propulsion  system  first  as  only  one  system  at  a time  can  be  success- 
fully worked  out. 

This  approach  was  a direct  challenge  to  the  traditional  concept  that 
the  length  of  the  interval  between  successive  overhauls  of  an  item 
was  an  important  factor  in  its  failure  rate.  The  task  force  developed  a 
propulsion-system  reliability  program,  and  each  airline  involved  in  the 
task  force  was  then  authorized  to  develop  and  implement  reliability 
programs  in  the  area  of  maintenance  in  which  it  was  most  interested. 
During  this  process  a great  deal  was  learned  about  the  conditions  that 
must  obtain  for  scheduled  maintenance  to  be  effective.t  It  was  also  found 
that  in  many  cases  there  was  no  effective  form  of  scheduled  maintenance. 


I I THE  EVOLUTION  OF  RCM  ANALYSIS 
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At  United  Airlines  an  effort  was  made  io  coordinate  what  had  been 
learned  from  these  various  activities  and  define  a generally  appli- 
cable approach  to  the  design  of  maintenar.  :e  programs.  A rudimentary 
decision-diagram  technique  was  devised  in  1965  and  was  refined  over 
the  next  few  years. t This  technique  was  eventually  embodied  in  a docu- 


' FAA/ Industry  Reliability  Program,  Federal  Aviation  Agency,  November  7, 1961,  p.  1, 
t Handbook  for  Maintenance  Control  by  Reliability  Methods,  FAA  Advisory  Circular  120-17, 
December  31, 1964. 

JH.  N.  Taylor  and  F.  S.  Nowlan,  Turbine  Engine  Reliability  Program,  FAA  Maintenance 
Symposium  on  Continued  Reliability  ot  Transport-type  Aircraft  Propulsion  Systems, 
Washington,  D.C.,  November  17-18,  1965.  T.  D.  Matteson  and  F.  S.  Nowlan,  Current 
Trends  in  Airline  Maintenance  Programs,  A1AA  Commercial  Aircraft  Design  and  Opera- 
tions Meeting,  Los  Angeles,  June  12-14,  1967,  F.  S.  Nowlan,  The  Use  of  Decision  Diagrams 
for  Logical  Analysis  of  Maintenance  Programs,  United  Airlines  internal  document,  August 
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merit  published  under  the  title  Handbook:  Maintenance  Evaluation  and 
Program  Development,  generally  known  as  MSG-1. * MSG-1  was  used  by 
special  teams  of  industry  and  FAA  personnel  to  develop  the  initial  pro- 
gram issued  by  the  FAA  Maintenance  Review  Board  for  the  Boeing  747. 
As  described  by  the  FAA,  these  teams+ 

. . . sorted  out  the  potential  maintenance  tasks  and  then  evaluated 
them  to  determine  which  must  be  done  for  operating  safety  or 
essential  hidden  function  protection.  The  remaining  potential  tasks 
were  evaluated  to  determine  whether  they  were  economically  use- 
ful. These  procedures  provide  a systematic  review  of  the  aircraft 
design  so  that,  in  the  absence  of  real  experience,  the  best  [mainte- 
nance] process  can  be  utilized  for  each  component  and  system. 

The  Boeing  747  maintenance  program  so  developed  was  the  first  attempt 
to  apply  reliability-centered  maintenance  concepts.  This  program  has 
been  successful. 

Subsequent  improvements  in  the  decision-diagram  approach  led 
in  1970  to  a second  document,  MSG-2:  Airline/ Manufacturer  Maintenance 
Program  Planning  Document,  which  was  used  to  develop  the  scheduled- 
maintenance  programs  for  the  Lockheed  1011  and  the  Douglas  DC-104 
These  programs  have  been  successful.  MSG-2  has  also  been  applied  to 
tactical  milita.y  aircraft  such  .is  the  McDonnell  F4J  and  the  Lockheed 
P-3,  and  a similar  document  repared  in  Europe  was  the  basis  of  the 
initial  scheduled-maintenance  programs  for  such  recent  aircraft  as  the 
Airbus  Industrie  A-300  and  the  Concorde. 

The  objective  of  the  techniques  outlined  by  MSG-1  and  MSG-2  was 
to  develop  a scheduled-maintenance  program  that  assured  the  maxi- 
mum safety  and  reliability  of  which  the  equipment  was  capable  and 
would  meet  this  requirement  at  the  lowest  cost.  As  an  example  of  the 
economic  benefits  achieved  with  this  type  of  program,  under  traditional 
maintenance  policies  the  initial  program  for  the  Douglas  DC-8  included 
scheduled  overhaul  for  339  items,  whereas  the  initial  program  for  the 
DC-10,  based  on  MSG-2,  assigned  only  seven  items  to  overhaul.  One  of 
the  items  no  longer  subject  to  an  overhaul  limit  in  the  later  program  was 
the  turbine  engine.  Elimination  of  this  scheduled  task  not  only  led  to 
major  reductions  in  labor  and  materials  costs,  but  also  reduced  the  spare- 
engine  inventory  required  to  cover  shop  activities  by  more  than  50 
percent.  Since  engines  for  larger  airplanes  now  cost  upwards  of  $1 
million  each,  this  is  a respectable  saving. 

*747  Maintenance  Steering  Group,  I landbook:  Maintenance  Evaluation  anil  Program  Develop- 
ment (MSG-1).  Air  Transport  Association,  July  10,  1468, 

i Federal  Aviation  Administration  Certification  Procedures,  May  19,  1472,  par.  3036. 
f Airline/ Manufacturer  Maintenance  Program  Planning  Document:  MSG-2,  Air  Transport 
Association,  R & M Subcommittee,  Marcy  25,  1970. 


As  another  example,  under  the  initial  program  developed  for  the 
Boeing  747  it  took  United  Airlines  only  66,000  manhours  on  major  struc- 
tural inspections  to  reach  an  inspection  interval  of  20,000  hours.  In  con- 
trast, traditional  maintenance  policies  led  to  an  expenditure  of  over 
4 million  manhours  before  the  same  interval  was  attained  for  structural 
inspections  on  the  smaller  and  less  complex  Douglas  DC-8.  Cost  reduc- 
tions on  this  scale  are  of  obvious  importance  to  any  organization 
responsible  for  maintaining  large  fleets  of  complex  equipment.  More 
important,  they  are  achieved  with  no  decrease  in  the  reliability  of  the 
equipment;  in  fact,  a clearer  understanding  of  the  failure  process  has 
actually  improved  operating  reliability  by  making  it  easier  to  pinpoint 
signs  of  an  imminent  failure. 

The  specific  developments  that  led  to  RCM  concepts  as  a funda- 
mental approach  to  maintenance  planning  are  described  in  detail  in 
Appendix  B.  Although  MSG-1  and  MSG-2  were  short  working  papers, 
intended  for  use  by  a small  number  of  people  with  extensive  back- 
grounds in  aircraft  maintenance,  further  clarification  of  the  basic  prin- 
ciples has  resulted  in  a logical  discipline  that  applies  to  maintenance 
programs  for  any  complex  equipment. 


1-2  THE  BASIS  OF  RCM  DECISION  LOGIC 

ino  nature  of  failure  The  principles  of  reliability-centered  maintenance  stem  from  a rigorous 

identification  of  examination  of  certain  questions  that  are  often  taken  for  granted: 
significant  items 

evaluation  of  failure  ► How  does  a failure  occur? 
consequences 

selection  of  applicable  and  ► What  are  its  consequences? 
effective  tasks 

the  role  of  age  exploration  ► What  good  can  preventive  maintenance  do? 

One  of  the  chief  drawbacks  of  the  old  hard-time  approach  to  scheduled 
maintenance  is  that  the  resulting  teardown  inspections  provided  no 
real  basis  for  determining  when  serviceable  parts  were  likely  to  fail  — 
that  is,  there  was  no  objective  means  of  identifying  reduced  resistance 
to  failure.  More  than  any  other  single  factor,  recognition  of  the  specific 
need  to  identify  potential-failure  conditions  has  been  responsible  for 
the  change  from  scheduled  overhauls  to  on-condition  inspections  for 
signs  of  imminent  failure. 

Unfortunately,  not  all  items  can  be  protected  by  this  type  of  main- 
tenance task.  In  some  cases  the  failure  mechanism  is  imperfectly 
understood,  in  others  it  is  random,  and  in  yet  others  the  cost  of  such 
inspections  exceeds  the  benefits  they  might  provide.  In  fact,  preventive 
maintenance  is  not  possible  for  many  items  of  modem  complex  equip- 
ment. Nor,  in  all  cases,  is  it  necessary.  Failures  which  could  jeopardize 
the  safety  of  the  equipment  or  its  occupants  must  be  prevented.  Under 
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modem  design  practices,  however,  very  few  items  fall  into  this  category, 
either  because  an  essential  function  is  provided  by  more  than  one  source 
or  because  operating  safety  is  protected  in  some  other  way.  Similarly, 
hidden  functions  must  be  protected  by  scheduled  maintenance,  both 
to  ensure  their  availability  and  to  prevent  exposure  to  the  risk  of  a 
multiple  failure. 

In  all  other  cases  the  consequences  of  failure  are  economic,  and  the 
value  of  preventive  maintenance  must  be  measured  in  economic  terms. 
In  some  cases  these  consequences  are  major,  especially  if  a failure 
affects  the  operational  capability  of  the  equipment.  Whenever  equip- 
ment must  be  removed  from  service  to  correct  a failure,  the  cost  of  fail- 
ure includes  that  loss  of  service.  Thus  if  the  intended  use  of  the  equip- 
ment is  of  significant  value,  the  delay  or  abandonment  of  that  use 
will  constitute  a significant  loss  — a fact  that  must  be  taken  into  account 
in  evaluating  the  benefit  of  preventive  maintenance.  Other  failures  will 
incur  only  the  cost  of  correction  or  repair,  and  such  failures  may  well  be 
tolerable,  in  the  sense  that  it  is  less  expensive  to  correct  them  as  they 
occur  than  to  invest  in  the  cost  of  preventing  them. 

In  short,  the  driving  element  in  all  maintenance  decisions  is  not 
the  failure  of  a given  item,  but  the  consequences  of  that  failure  for  the 
equipment  as  a whole.  Within  this  context  it  is  possible  to  develop  an 
efficient  scheduled-maintenance  program,  subject  to  the  constraints  of 
satisfying  safety  requirements  and  meeting  operational-performance 
goals.  However,  the  solution  of  such  an  optimization  problem  requires 
certain  specific  information  which  is  nearly  always  unavailable  at  the 
time  an  initial  program  must  be  developed.  Hence  we  also  need  a basic 
strategy  for  decision  making  which  provides  for  optimum  maintenance 
decisions,  given  the  information  available  at  the  time.  The  process  of 
developing  an  initial  RCM  program  therefore  consists  of  the  following 
steps: 

► Partitioning  the  equipment  into  object  categories  to  identify  those 
items  that  require  intensive  study 

► Identifying  significant  items,  those  whose  failure  would  have  safety 
or  major  economic  consequences  for  the  equipment  as  a whule,  and 
all  hidden  functions,  which  require  scheduled  maintenance  regard- 
less of  their  significance 

► Evaluating  the  maintenance  requirements  for  each  significant  item 
and  hidden  function  in  terms  of  the  failure  consequences  and  select- 
ing only  those  tasks  which  will  satisfy  these  requirements 

► Identifying  items  for  which  no  applicable  and  effective  task  can  be 
found  and  either  recommending  design  changes  if  safety  is  involved 
or  assigning  no  scheduled-maintenance  tasks  to  these  items  until 
further  information  becomes  available 
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► Selecting  conservative  initial  intervals  for  each  of  the  included  tasks 

and  grouping  the  tasks  in  maintenance  packages  for  application 

► Establishing  an  age-exploration  program  to  provide  the  factual 

information  necessary  to  revise  initial  decisions 

The  first  of  these  steps  is  intended,  as  a purely  practical  matter, 
to  reduce  the  problem  of  analysis  to  manageable  size  and  to  focus  it 
according  to  areas  of  engineering  expertise.  The  next  three  steps  are 
the  crux  of  RCM  analysis.  They  involve  a specific  sequence  of  decision 
questions,  worded  to  indicate  the  information  required  for  a yes/no 
answer  in  each  case.  Where  this  information  is  not  available,  a default 
answer  specifies  the  action  that  will  best  protect  the  equipment  until 
there  is  a basis  for  some  other  decision.  This  decision-diagram  tech- 
nique, described  in  full  in  Chapter  4,  not  only  provides  an  orderly  basis 
for  making  decisions  with  limited  information,  but  also  results  in  a clear 
audit  trail  for  later  review. 

In  the  airline  industry  all  scheduled-maintenanee  programs  are,  of 
course,  subject  to  FAA  review  and  approval.  The  initial  program  for 
each  new  type  of  equipment  is  promulgated  by  the  FAA  Maintenance 
Review  Board.  This  document,  developed  in  conference  with  the  equip- 
ment manufacturers  and  the  purchasing  airlines,  forms  the  basis  of  the 
initial  program  submitted  by  each  airline  for  FAA  approval.  Organize 
tions  operating  other  equipment  in  the  civilian  and  military  spheres 
may  define  their  initial  maintenance  programs  differently,  but  some 
comparable  review  procedure  is  usually  involved. 

Because  any  initial  scheduled-maintenanee  program  must  be  devel- 
oped and  implemented  in  advance  of  actual  operational  data,  an  im- 
portant element  of  RCM  programs  is  age  exploration,  a procedure  for 
systematic  gathering  of  the  information  necessaiy  to  determine  the 
applicability  of  some  maintenance  tasks  and  evaluate  the  effectiveness 
of  others.  As  this  information  accumulates,  the  same  decision  diagram 
provides  a means  of  revising  and  refining  the  initial  program.  Much  of 
this  information  is  already  available,  of  course,  for  equipment  that  has 
been  in  service  for  some  time.  Although  the  specific  data  needed  may 
have  to  be  retrieved  from  several  different  information  systems,  and 
the  remaining  useful  life  of  the  equipment  will  be  a factor  in  certain 
decisions,  RCM  analysis  under  these  circumstances  will  result  in  fewer 
default  decisions,  and  hence  a near-optimum  program  at  the  outset. 
Such  programs  usually  include  a larger  number  of  on-condition  inspec- 
tions than  the  programs  arrived  at  under  older  policies,  and  fewer  of 
the  scheduled  rework  tasks  which  had  been  included  simply  because 
there  was  no  evidence  that  they  should  not  be  done. 

An  effective  scheduled-maintenanee  program  will  realize  all  the 
reliability  of  which  the  equipment  is  capable.  However,  no  form  of  pre- 
ventive maintenance  can  alter  characteristics  that  are  inherent  in  the 


design.  The  residual  failures  that  occur  after  all  applicable  and  effective 
. preventive  tasks  have  been  implemented  reflect  the  inherent  capability 
of  the  equipment,  and  if  the  resulting  level  of  reliability  is  inadequate. 
• the  only  recourse  is  engineering  redesign.  Th>s  effort  may  be  diiected 
at  a single  component  to  correct  for  a dominant  failure  mode  or  it  may 
be  directed  at  some  characteristic  that  will  make  a particular  preventive 
technique  feasible.  Product  improvement  of  this  kind  takes  place- rou- 
tinely during  the  early  years  of  operation  of  any  complex  equipment. 
Thus,  although  reliability-centered  maintenance  is  concerned  in  the 
short  run  with  tasks  based  on  the  actual  reliability  characteristics  of  the 
equipment,  it  is  also  concerned  with  improvements  that  will  ultimately 
increase  delivered  teliability. 


I • 3 RELIABILITY  PROBLEMS  IN 
COMPLEX  EQUIPMENT 


Failures  are  inevitable  in  any  complex  equipment,  although  their  con- 
sequences can  be  controlled  by  careful  design  and  effective  mainte- 
nance. The  reason  for  this  failure  incidence  is  apparent  if  we  consider 
some  basic  differences  between  simple  and  complex  equipment.  Simple 
equipment  is  asked  to  perform  very  few  different  functions.  Such 
equipment  therefore  consists  of  only  a few  systems  and  assemblies, 
and  these  in  turn  may  be  so  simple  that  some  are  exposed  to  only  one 
possible  failure  mode.  In  most  cases  this  simplicity  extends  to  the 
structural  elements  as  well,  and  both  the  structure  and  the  various  items 
on  the  equipment  are  relatively  accessible  for  inspection. 

As  a result,  simple  equipment  has  certain  distinct  failure  charac- 
teristics. Because  it  is  exposed  to  relatively  few  failure  possibilities,  its 
overall  reliability  tends  to  be  higher.  For  the  same  reason,  these  failures 
tend  to  be  age-related;  each  type  of  failure  tends  to  concentrate  around 
some  average  age,  and  since  only  a few  types  of  failure  are  involved, 
they  govern  the  average  age  at  failure.  However,  in  the  absence  of 
redundancy  and  other  protective  features,  such  failures  may  have  fairly 
serious  consequences.  Thus  simple  equipment  is  often  protected  by 
"overdesign";  components  are  heavier  and  bulkier  than  necessary, 
and  familiar  materials  and  processes  are  used  to  avoid  the  uncertainty 
associated  with  more  complex  high-performance  equipment. 

All  in  all,  the  traditional  idea  that  failures  are  directly  related  to 
safety  and  that  their  likelihood  varies  directly  with  age  is  often  true 
for  simple  equipment.  In  any  case,  it  is  fairly  easy  to  make  an  exhaus- 
tive' study  of  such  equipment  to  determine  its  scheduled-maintenance 
requirements. 

The  situation  is  quite  different  with  the  complex  equipment  in  use 
today.  The  general-aviation  aircraft  of  the  1930s  usually  had  a at  - pie 
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reciprocating  engine,  a fixed-pitch  propeller,  fixed  landing  gear,  and 
no  wing  flaps.  The  modem  airplane  may  have  several  turboprop  or 
. turbojet  powerplants,  retractable  landing  gear,  movable  high-lift  de- 

vices, at\  airframe  anti-icing  system,  pressure*  and  temperature-control 
systems  for  the  cabin,  extensive  communications  and  navigation  equip- 
ment, complex  cockpit  instrumentation,  and  complex  ancillary  systems 
to  support  all  these  additional  items.  This  increased  complexity  has 
greatly  expanded  the  safe  operational  capability  of  the  aircraft.  The 
simple  airplane  of  the  1930s  was  restricted  to  trips  of  a few  hundred 
miles  under  reasonab'y  favorable  weather  conditions.  The  higher  per- 
formance capability  demanded  of  modem  equipment,  however,  has 
greatly  increased  not  only  the  number  of  items  that  can  fail,  but  the 
types  of  failure  that  can  occur. 

Each  new  design  of  any  high-performancecquipment  is  essentially 
an  attempt  to  make  earlier  designs  technologically  obsolete,  with  the 
usual  measure  of  improvement  being  potential  operating  capability 
(including  operating  costs).  In  other  wonis,  this  is  the  operating  capa- 
bility expected  in  the  absence  of  any  failures  that  might  change  the 
circumstances.  The  basis  for  evaluating  new  aircraft  designs  usually 
includes  performance  factors  such  as  the  following. 

► The  maximum  payload  (military  or  commercial)  that  can  be  carried 
over  a given  distance 

► The  maximum  distance  over  which  a given  payload  can  be  carried 

► The  minimum  size  of  the  vehicle  that  con  carry  a given  payload 
over  a given  distance 

► The  highest  speed  that  can  be  attained  under  defined  payload/ 
range  conditions 

► Special  capabilities,  such  as  the  ability  to  traverse  rough  terrain, 
operate  from  short  runways,  or  withstand  punishment 

In  some  cases  these  factors  are  weighed  against  the  anticipated  direct 
operating  costs  (including  maintenance  costs)  associated  with  attaining 
such  capabilities,  since  a major  objective  may  be  to  achieve  the  mini- 
mum cost  per  unit  of  payload  transported.  In  other  cases  performance 
takes  precedence  over  cost.  This  is  true  not  only  of  military  equipment, 
but  of  certain  types  of  civilian  equipment,  where  there  is  an  adequate 
market  for  specialized  capability  despite  its  cost. 

Another  aspect  of  performance  demands,  of  course,  is  the  trend 
toward  increasing  automation.  Examples  are  everywhere  — automatic 
flight -control  systems  in  aircraft,  including  automatic  approach  and 
landing  equipment;  automatic  transmissions  in  automobiles;  auto- 
mated traffic-control  systems  for  rapid-transit  trains;  and  automatic 
introduction  aperture-setting  devices  in  cameras. 


The  design  of  complex  equipment,  therefore,  is  always  a tradeoff 
between  achieving  the  required  performance  capability  and  acceptable 
reliability.  This  tradeoff  entails  an  intentional  compromise  between  the 
lightness  and  compactness  required  for  high  performance  and  the 
weight  and  bulk  required  for  durability.  Thus  it  is  neither  econom- 
ically nor  technologically  feasible  to  produce  complex  equipment  that 
can  sustain  trouble-free  operation  for  an  indefinite  period  of  time. 
Although  the  reliability  of  certain  items  that  perform  single  functions 
may  be  improving,  the  number  of  such  items  has  been  vastly  multi- 
plied. It  is  therefore  inevitable  that  failures  will  occur— that  is,  that 
certain  parts  of  the  equipment  will  lose  the  capability  of  performing 
their  specified  functions. 

Our  concern  is  not  with  the  number  of  these  failures,  but  with  the 
consequences  of  a given  failure  for  the  equipment  as  a whole.  Will 
the  loss  of  a particular  function  endanger  the  equipment  or  its  occu- 
pants? If  not,  is  it  necessary  to  abort  the  mission  or  take  the  equipment 
out  of  service  until  repairs  can  be  made?  Or  can  unrestricted  operation 
continue  and  the  repair  be  deferred  to  a convenient  time  and  place?  The 
ability  to  defer  failure  consequences  depends  largely  on  the  design  of 
the  equipment.  One  strategy  is  the  use  of  redundancy  and  fail-safe 
construction.  Another  strategy  is  failure  substitution,  the  use  of  a minor 
failure  to  preempt  a major  one,  as  in  the  use  of  fuses  and  circuit 
breakers.  This  latter  concept  extends  to  maintenance  activities  in  which 
potential  failures  are  used  to  preempt  functional  failures.  Thus  the 
design  may  include  various  instrumentation  to  give  some  warning  of 
an  impending  failure  or  other  features  which  facilitate  inspection  for 
possible  deterioration.  All  these  features  actually  increase  the  number 
of  failure  possibilities  in  the  sense  that  they  add  more  items  that  could 
fail.  However,  they  greatly  reduce  the  consequences  of  any  single  failure. 


1-4  AN  OVERVIEW  OF  MAINTENANCE  ACTIVITY 


The  activities  of  a maintenance  organization  include  both  the  scheduled 
work  that  is  performed  to  avoid  failures  and  the  corrective  work  that  is 
performed  after  failures  have  occurred.  Our  present  concern  is  with 
preventive  maintenance,  the  program  of  scheduled  tasks  necessary  to 
ensure  safe  and  reliable  operation  of  the  equipment.  The  complete  col- 
lection of  these  tasks,  together  with  their  assigned  inter  - . is  termed 
the  scheduled  maintenance  program.  This  program  includes  o.  the  tasks 
that  are  scheduled  in  advance  — servicing  and  lubrication,  inspection, 
and  scheduled  removal  and  replacement  of  items  on  the  equipment. 
Exhibit  1.1  lists  some  typical  tasks  in  such  a program. 

In  order  to  accomplish  the  anticipated  corrective  and  scheduled 
maintenance,  an  operating  organization  must  establish  an  overall  sup- 
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EXHIBIT  I ‘I  Typical  scheduled-maintenancc  tasks  for  various  items 
on  aircraft.  Some  scheduled  tasks  are  performed  on  the  aircraft  at 
line-maintenance  stations  and  others  are  performed  at  the  major 
maintenance  base,  either  as  part  of  a larger  maintenance  package  or 
as  part  of  the  shop  procedure  whenever  a failed  unit  is  sent  to  the 
maintenance  base  for  repair. 


nature  of  item 


scheduled-maintenance  task 


SYSTEMS  ITEMS 
Fuel'pump  assembly 
(Douglas  A4) 


Brake  assembly,  main  landing 
gear  (Douglas  DC-10) 


POWERFLANT  ITEMS 
Compressor  rear  frame 
(General  Electric  CF6-6) 


Nozzle  guide  vanes 
(Pratt  & Whitney  JT8D-7) 


Tenth-stage  compressor  blades 
(Pratt  & Whitney  JT4) 


Stage  3 turbine  disk 
(Pratt  & Whitney  JT9D) 


STRUCTURAL  ITEMS 
Rear  spar  at  bulkhead 
intersection  (Douglas  DC-10) 


Shock  strut,  main  landing 
gear  (Boeing  737) 


On-condition  (on  aircraft): 
Inspect  filter  for  contamination 

On-condition  (on  aircraft): 
Inspect  drive  shaft  for  spline 
wear 

On-condition  (on  aircraft): 
Inspect  brake  wear  indicators 

On-condition  (in  shop):  Test 
automatic  brake  adjuster 


On-condition  (on  aircraft): 
Inspect  front  flange  for  cracks 
emanating  from  bolt  holes 

On-condition  (on  aircraft): 
Perform  borescope  inspection 
for  burning,  cracking,  or 
bowing  of  guide  vanes 

Scheduled  rework: 

Shot-peen  blade  dovetail  and 
apply  antigalling  compound 

Scheduled  discard:  Replace 
turbine  disk  with  new  part 


On-condition  (on  aircraft): 
Inspect  specified  intersections 
in  zones  531,  631, 141,  142  for 
cracks  and  corrosion 

On-condition  (in  shop):  Strip 
cadmium  plate  and  inspect 
for  cracks  and  corrosion 


task  interval 


60  operating  hours 


1,000  operating  hours 


During  overnight  stops 
and  walkaround  checks 

Whenever  brake  assembly 
is  in  shop 


500  flight  cycles  or  phase 
check  (134  days),  whichever 
is  first 

1,000  operating  hours 


6,000  operating  hours 


15,000  flight  cycles  or  30,000 
operating  hours,  whichever 
is  first 


Primary  strength-indicator 
areas  5,000  operating  hours, 
internal  fuel-tank  areas 
20,000  hours 

19,500  operating  hours 


port  plan  which  includes  the  designation  of  maintenance  stations,  staff- 
ing with  trained  mechanics,  provision  of  specialized  testing  equipment 
and  parts  inventories,  and  so  on.  The  overall  maintenance  plan  of  an 
airline  is  typical  of  that  for  any  transportation  system  in  which  each 
piece  of  equipment  operates  through  many  stations  but  has  no  unique 
home  station. 

A large  proportion  of  the  failures  that  occur  during  operation  are 
first  observed  and  reported  by  the  operating  crew.  Some  of  these  must 
be  corrected  after  the  next  landing,  and  a few  are  serious  enough  to 
require  a change  in  flight  plan.  The  correction  of  many  other  failures, 
however,  can  be  deferred  to  a convenient  time  and  location.  Those  line 
stations  with  a high  exposure  to  the  need  for  immediate  corrective  work 
are  designated  as  maintenance  stations  and  are  equipped  with  trained 
mechanics,  spare-parts  inventory,  and  the  facilities  necessary  to  carry 
out  such  repairs.  United  Airlines  serves  91  airline  stations  with  19  such 
maintenance  stations. 

The  decision  to  designate  a particular  station  as  a maintenance 
station  depends  chiefly  on  the  amount  of  traffic  at  that  station  and  the 
reliability  of  the  aircraft  involved.  A station  at  which  the  greatest  volume 
of  repairs  is  expected  is  the  logical  first  choice.  However,  other  consid- 
erations may  be  the  frequency  with  which  the  operating  schedule  pro- 
vides ov.  ight  layovers,  the  relative  ease  of  routing  other  aircraft  to 
that  station,  the  availability  of  mechanics  and  parts  to  support  other 
types  of  aircraft,  the  planned  volume  of  scheduled-maintenance  work, 
and  so  on. 

Line-maintenance  stations  themselves  vary  in  size  and  complexity  . 
The  facilities  needed  for  immediate  corrective  work  establish  the  mini- 
mum resources  at  any  given  maintenance  station,  but  operating  organi- 
zations generally  consolidate  the  bulk  of  the  deferrable  work  at  a few  of 
these  stations  for  greater  economy.  To  simplify  the  control  of  scheduled 
maintenance,  individual  tasks  art  grouped  into  a fairly  small  number 
of  maintenanc-  ackages  for  execution.  Like  deferrable  corrective  work, 
these  sched  maintenance  packages  can  be  a!  signed  to  any  con- 
venient maim  ice  station.  Thus  the  more  involved  work  is  generally 
. assigned  to  th*  line  stations  already  equipped  with  the  staff  and 
inventories  for  tensive  corrective  work. 

Not  all  scheduled-maintenance  tasks  can  be  carried  out  at  line  sta- 
tions. Major  structural  inspections,  scheduled  rework,  and  inspections 
which  entail  exter-s;  a dissassembly  are  best  handled  at  a major  main- 
tenance base  equipped  with  shop  facilities.  The  major  base  also  repairs 
failed  units  that  a moved  from  aircraft  at  the  line  stations.  Few  such 
maintenance  bases  are  needed,  and  reliability  considerations  generally 
determine  their  size  and  manpower  requirements,  rather  than  their 
location.  Many  large  airlines  operate  efficiently  with  only  one  main- 
tenance base.  The  work  performed  at  a maintenance  base  is  generally 
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termed  shop  maintenance  to  differentiate  it  from  line  maintenance,  which 
consists  primarily  of  replacing  failed  units  rather  than  repairing  them. 

The  entire  process  by  which  a detailed  support  plan  is  developed 
is  beyond  the  scope  of  this  volume.  Suffice  it  to  say  that  a detailed  plan 
is  necessary  in  order  to  implement  a scheduled-maintenance  program. 
Our  concern  here  is  with  the  development  of  such  a program — or  rather, 
with  the  principles  underlying  its  development.  In  the  following  chap- 
ters we  will  examine  the  nature  of  failures,  the  basis  on  which  their  con- 
sequences are  evaluated,  and  the  specific  criteria  that  determine  the 
applicability  and  effectiveness  of  a given  type  of  preventive  task.  With 
this  framework  established,  we  will  consider  the  decision  'ogic  that 
results  in  a scheduled-maintenance  program  based  on  the  actual  reli- 
ability characteristics  of  the  equipment.  This  reliability-centered  ap- 
proach ensures  that  the  inherent  safety  and  operating  capability  of  the 
equipment  will  be  realized  at  the  minimum  cost,  given  the  information 
available  at  any  time. 

The  chapters  in  Part  Two  illustrate  the  application  of  RCM  decision 
logic  to  specific  hardware  examples  and  discuss  some  of  the  informa- 
tion processes  involved  in  the  continuing  evolution  of  the  maintenance 
program  after  the  equipment  enters  service.  All  these  illustrations  are 
drawn  from  commercial-aircraft  applications.  However,  it  should  be 
clear  from  the  discussion  in  P^rt  One  that  the  basic  principles  of  RCM 
programs  extend  not  just  to  other  operating  contexts,  but  to  maintenance 
programs  for  any  complex  equipment. 
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CHAPTER  TWO 


the  nature  of  failure 


THE  parts  of  any  mechanical  equipment  are  subject  to  wear,  corrosion, 
and  fatigue  which  inevitably  result  in  some  deviation  from  the  condi- 
tions that  existed  when  the  equipment  was  new.  Ultimately  the  devia- 
tion will  become  great  enough  that  the  equipment,  or  some  item  on  it, 
no  longer  meets  the  required  performance  standards  - that  is,  it  fails. 
The  role  of  scheduled  maintenance  is  to  cope  with  the  failure  process. 
For  years,  however,  the  chief  focus  has  been  on  anticipating  the  age  at 
which  things  were  likely  to  fail,  rather  than  on  how  they  fail  and  the 
consequences  of  such  failures.  As  a result,  there  has  been  insufficient 
attention  to  the  failure  process  itself,  and  even  less  attention  to  the 
question  of  precisely  what  constitutes  a failure. 

One  reason  for  this  lack  of  attention  has  been  the  common  assump- 
tion that  all  equipment  "wears  out"  and  inevitably  becomes  less  reli- 
able with  increasing  operating  age.  This  assumption  led  to  the  conclu- 
sion that  the  overall  failure  rate  of  an  item  will  always  be  reduced  by 
an  age  limit  which  precludes  operation  at  ages  where  the  likelihood  of 
failure  is  greater.  In  accordance  with  this  hard-time  policy,  all  units  were 
taken  out  of  service  when  they  reached  a specified  age  and  were  sent 
tc  the  major  maintenance  base  for  complete  disassembly  and  overhaul, 
a procedure  intended  to  restore  each  part  to  its  original  condllion, 

It  is  now  known  that  the  reliability  of  most  complex  items  does  not 
vary  directly  with  operating  age,  at  least  not  in  such  a way  as  to  make 
hard-time  overhaul  a useful  concept.  Procedures  directed  at  obtaining 
some  precise  evidence  that  a failure  is  imminent  are  frequently  a far 
superior  weapon  against  failure.  However,  to  understand  the  specific 
nature  of  such  procedures  as  they  pertain  to  an  RCM  program,  it  is 
necessary  to  take  a closer  look  at  the  entire  concept  of  failure.  Without 
16  theory  and  principles  a precise  definition  of  what  condition  represents  a failure,  there  is  no 


way  either  to  assess  its  consequences  or  to  define  the  physical  evidence 
for  w tich  to  inspect.  The  term  failure  must,  in  fact,  be  given  a far  more 
explicit  meaning  than  "an  inability  to  function"  in  order  to  clarify  the 
basis  of  reliability-centered  maintenance. 

In  this  chapter  we  will  examine  the  problem  of  defining  failures 
and  some  of  tne  implications  this  has  for  the  analysis  of  failure  data.  We 
will  also  see  how  failure  consequences  are  evaluated,  both  in  terms  of 
single  failures  and  in  terms  of  multiple  failures.  Finally,  we  will  discuss 
the  process  of  failure  itself  and  see  why  complex  items,  unlike  simple 
items,  do  not  necessarily  wear  out. 

2*1  THE  DEFINITION  OF  FAILURE 


Each  of  us  has  some  intuitive  notion  of  what  constitutes  a failure.  We 
would  all  agree  that  an  automobile  engine,  a fuel  pump, -or  a tire  has 
failed  if  it  ceases  to  perform  its  intended  function.  But  there  are  times 
when  an  item  does  continue  to  function,  although  not  at  its  expected 
level.  An  automobile  engine  may  run  powerfully  and  smoothly,  but  its 
oil  consumption  is  high;  a fuel  pump  may  pump  fuel,  but  sluggishly; 
a tire  may  hold  air  and  support  the  car,  but  its  bald  tread  indicates  that 
it  will  do  neither  much  longer. 

Have  these  items  failed?  If  not,  how  bad  must  their  condition  be- 
come before  we  would  say  a failure  has  occurred?  Moreover,  if  any  of 
these  conditions  is  corrected,  the  time  required  for  unanticipated  re- 
pairs might  force  a change  in  other  plans,  such  as  the  delay  or  cancel- 
lation of  a trip.  In  this  event  could  it  still  be  argued  that  no  failure  had 
occurred? 


failure 

functional  failure 
potential  failure 
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To  cover  all  these  eventualities  we  can  define  a failure  in  broad 
terms  as  follows: 

A failure  is  an  unsatisfactory  condition. 

In  other  words,  a failure  is  any  identifiable  deviation  from  the  original 
condition  which  is  unsatisfactory  to  a particular  user.  The  determina- 
tion that  a condition  is  unsatisfactory,  however,  depends  on  the  con- 
sequences of  failure  in  a given  operating  context.  For  example,  high  oil 
consumption  in  an  aircraft  engine  may  pose  no  problem  on  short- 
or  medium-range  flights,  whereas  on  long-range  flights  the  same  rate 
of  consumption  would  exhaust  the  oil  supply.  Similarly,  engine- 
instrument  malfunctions  that  would  not  disrupt  operations  on  multi- 
engine  equipment  would  be  clearly  unsatisfactory  on  a single-engine 
plane,  and  performance  that  is  acceptable  in  a land-based  environment 
might  not  be  good  enough  for  carrier  operation. 

In  short,  the  exact  dividing  line  between  satisfactory  and  unsatis- 
factory conditions  will  depend  not  only  on  the  function  of  the  item  in 
question,  but  on  the  nature  of  the  equipment  in  which  it  is  installed 
and  the  operating  context  in  which  that  equipment  is  used.  The  deter- 
mination will  therefore  vary  from  one  operating  organization  to  another. 
Within  a given  organization,  however,  it  is  essential  that  the  boundaries 
between  satisfactory  and  unsatisfactory  conditions  be  defined  for  each 
item  in  clear  and  unmistakable  terms. 


FUNCTIONAL  FAILURE 

The  judgment  that  a condition  is  unsatisfactory  implies  that  there  must 
be  some  condition  or  performance  standard  on  which  this  judgment 
can  be  based.  As  we  have  seen,  however,  an  unsatisfactory  condition 
can  range  from  the  complete  inability  of  an  item  to  perform  its  intended 
function  to  some  physical  evidence  that  it  will  soon  be  unable  to  do  so. 
For  maintenance  purposes,  therefore,  we  must  classify  failures  further 
as  either  functional  failures  or  potential  failures: 


A functional  failure  is  the  inability  of  an  item  (or  the  equipment  con- 
taining it)  to  meet  a specified  performance  standard. 


A complete  loss  of  function  is  clearly  a functional  failure.  Note,  how- 
ever, that  a functional  failure  also  includes  the  inability  of  an  item  to 
function  at  the  level  of  performance  that  has  been  specified  as  satisfac- 
tory. This  definition  thus  provides  us  with  an  identifiable  and  measur- 
18  theory  AND  PRINCIPLES  abie  condition,  a basis  for  identifying  functional  failures. 
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To  define  a functional  failure  for  any  item  we  must,  of  course,  have 
a clear  understanding  of  its  functions.  This  is  not  a trivial  consideration. 
For  example,  if  we  say  that  the  function  of  the  broking  system  on  an  air- 
plane is  to  stop  the  plane,  then  only  one  functional  failure  is  possible - 
inability  to  stop  the  plane.  However,  this  system  also  has  the  functions 
of  providing  modulated  stopping  capability,  providing  differential 
braking  for  maneuvering  on  the  ground,  providing  antiskid  capability, 
and  so  on.  With  this  expanded  definition  it  becomes  clear  that  the 
braking  system  is  in  fact  subject  to  a number  of  different  functional 
failures.  It  is  extremely  important  to  determine  all  the  functions  of  an 
item  that  are  significant  in  a given  operating  context,  since  it  is  only  in 
these  terms  that  its  functional  failures  can  be  defined. 

POTENTIAL  FAILURE 

Once  a particular  functional  failure  has  been  defined,  some  physical 
condition  can  often  be  identified  which  indicates  that  this  failure  is 
imminent.  Under  these  circumstances  it  may  be  possible  to  remove  the 
item  from  service  before  the  point  of  functional  failure.  When  such 
conditions  can  be  identified,  they  are  defined  as  potential  failures: 


A potential  failure  is  an  identifiable  physical  condition  which  indicates 
a functional  failure  is  imminent. 


The  fact  that  potential  failures  can  be  identified  is  an  important  aspect 
of  modem  maintenance  theory,  because  it  permits  maximum  use  of 
each  item  without  the  consequences  associated  with  a functional  failure. 
Units  are  removed  or  repaired  ar  the  potential-failure  stage,  so  that 
potential  failures  preempt  functional  failures. 

For  some  items  the  identifiable  condition  that  indicates  imminent 
failure  is  directly  related  to  the  performance  criterion  that  defines  the 
functional  failure.  For  example,  one  of  the  functions  of  a tire  tread  is  to 
provide  a renewable  surface  that  protects  the  carcass  of  the  tire  so  that 
it  can  be  retreaded.  This  function  is  not  the  most  obvious  one,  and  it 
might  well  be  overlooked  in  a listing  of  tire  functions;  nevertheless,  it 
is  imporiant  from  an  economic  standpoint.  Repeated  use  of  the  tire 
wears  away  the  tread,  and  if  wear  continues  to  the  point  at  which  the 
carcass  cannot  be  retreaded,  a functional  failure  has  occurred.  To  pre- 
vent this  particular  functional  failure,  we  must  therefore  define  the 
potential  failure  as  some  wear  level  that  does  not  endanger  the  carcass. 

The  ability  to  identify  either  a functional  or  a potential  failure  thus 
depends  on  three  factors: 

► Clear  definitions  of  the  functions  of  an  item  us  they  relate  to  the 

equipment  or  operating  context  in  which  the  item  is  to  be  used 
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► A dear  definition  of  the  conditions  that  constitute  a functional 
failure  in  each  case 

► A clear  definition  of  the  conditions  that  indicate  the  imminence 
of  this  failure 

In  other  words,  we  must  not  only  define  the  failure;  we  must  also  spec- 
ify the  precise  evidence  by  which  it  can  be  recognized. 


2*2  THE  DETECTION  OF  FAILURES 


the  role  of  the  operating  crew 
evident  and  hidden  functions 
verification  of  failures 
interpreting  failure  data 


Both  functional  failures  and  potential  failures  can  be  defined  in  terms 
of  identifiable  conditions  for  a given  operating  context.  In  evaluating 
failure  data,  however,  it  is  important  to  take  into,  account  the  different 
frames  of  reference  of  several  sets  of  failure  observers  — the  operating 
crew,  the  line  mechanic,  the  shop  mechanic,  and  even  passengers. 
Understanding  how  and  when  the  observer  sees  a failure  and  how  he 
interprets  it  is  crucial  both  to  operating  reliability  and  to  effective  pre- 
ventive maintenance. 

The  detection  and  reporting  of  failures  depends  on  two  principal 
elements: 


► The  observer  must  be  in  a position  to  detect  the  failure.  This  "right" 
position  may  be  a physical  location,  a particular  moment  in  time, 
or  access  to  the  inspection  equipment  that  can  reveal  the  condition. 

► The  observer  must  have  standards  that  enable  him  to  recognize  the 
condition  he  sees  as  a failure,  either  functional  or  potential. 


DIE  ROLE  OF  THE  OPERATING  CREW 

Members  of  the  operating  crew  are  the  only  people  in  a position  to 
observe  the  dynamic  operation  of  the  equipment  in  its  normal  environ- 
ment. Whereas  an  airplane  in  a maintenance  facility  is  in  a static 
environment,  during  flight  its  systems  are  activated  and  the  whole 
machine  is  subjected  to  airloads  and  to  both  low  atmospheric  pressure 
and  low  outside  temperatures.  As  a result,  the  operating  crew  will  be 
the  first  to  observe  many  functional  failures.  Such  failures  are  often 
detected  at  the  time  a crew  member  calls  on  a function  and  finds  that 
it  is  impaired. 

In  most  complex  equipment  the  crew's  ability  to  observe  failures 
is  further  enhanced  by  extensive  instrumentation,  warning  lights,  or 
other  monitoring  devices.  In  some  cases  these  indicators  make  failures 
evident  at  the  moment  they  occur,  when  otherwise  they  might  go  un- 
detected until  the  function  was  needed.  Such  early  warning  provides 
20  THEORY  AND  principles  more  time  fo  changes  in  operating  strategy  to  offset  the  consequences 
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of  the  failure.  For  example,  certain  engine  malfunctions  may  require 
the  shutdown  of  one  engine  and  perhaps  the  selection  of  an  alternate 
landing  field,  or  an  auxiliary  hydraulic  pump  may  have  to  be  turned  on 
after  one  of  the  main  ones  fails.  Even  when  the  flight  can  be  continued 
»v  ithout  incident,  the  crew  is  required  to  record  the  failure  as  accurately 
as  possible  in  the  flight  log  so  the  condition  can  be  corrected  at  the 
earliest  opportunity. 

This  instrumentation  also  permits  the  crew  to  determine  whether 
i!?ms  that  are  still  operative  are  functioning  as  well  as  they  should.  In 
some  cases  reduced  performance  is  an  indication  of  an  imminent  fail- 
ure, and  these  conditions  would  also  be  examined  later  to  see  whether 
a potential  failure  exists. 

Not  surprisingly,  the  operating  crew  plays  a major  role  in  detecting 
failure  conditions.  This  is  illustrated  by  a study  of  the  support  costs  on 
a fleet  of  Boeing  747's  over  the  first  ten  months  of  1975  (a  total  of  51,400 
operating  hours).  In  this  case  66.1  percent  of  all  failure  reports  while  the 
plane  was  away  from  the  maintenance  base  originated  with  the  operat- 
ing crew,  and  these  failures  accounted  for  61.5  percent  of  the  total  man- 
hours for  corrective  line  maintenance.  The  other  33.9  percent  of  the 
reported  failures  included  potential  failures  detected  by  line  mechanics, 
along  with  other  failures  not  normally  evident  to  the  operating  crew. 

HIDDEN- FUNCTION  ITEMS 

Although  most  functional  failures  are  first  detected  by  the  operating 
crew,  many  items  are  subject  to  failures  that  the  crew  is  not  in  a posi- 
tion to  observe.  The  crew  duties  often  include  special  checks  of  certain 
hidden-function  items,  but  most  such  failures  must  be  found  by  inspec- 
tions or  tests  performed  by  maintenance  personnel.  To  ensure  that  we 
will  know  when  a failure  has  occurred,  we  must  know  that  the  observer 
is  in  a position  to  detect  it.  Hence  for  maintenance  purposes  a basic 
distinction  is  made  between  evident  and  hidden  functions  from  the  van- 
tage point  of  the  operating  crew: 


An  evident  function  is  one  whose  failure  will  be  evident  to  the  operating 
crew  during  the  performance  of  normal  duties. 


A hidden  function  is  one  whose  failure  will  not  be  evident  to  the  operat- 
ing crew  during  the  performance  of  normal  duties. 


An  item  may  have  several  functions,  any  one  of  which  can  fail.  If  the 
loss  of  one  of  these  functions  would  not  be  evident,  the  item  must  be 

classified  from  the  maintenance  standpoint  as  a hidden-function  item.  SECTION  2*2  21 


Hidden  funt  dons  may  be  of  two  kinds: 

► A function  that  is  normally  active  but  gives  no  indication  to  the 
operating  crew  if  it  ceases 

► A function  that  is  normally  inactive,  so  that  the  crew  cannot  know 
whether  it  will  be  available  when  it  is  needed  (usually  the  demand 
follows  some  other  failure) 

The  fire-detection  system  in  an  aircraft  powerplant  falls  into  the  first 
category,  This  system  is  active  whenever  the  engine  is  in  use,  but  its 
sensing  function  is  hidden  unless  it  detects  a fire;  thus  if  it  fails  in  some 
way,  its  failure  is  similarly  hidden.  The  fire-extinguishing  system  that 
backs  up  this  unit  has  the  second  kind  of  hidden  function.  It  is  not 
activated  unless  a fire  is  detected,  and  only  when  it  is  called  upon  to 
operate  does  the  crew  find  out  whether  it  works. 

In  addition  to  inspecting  for  potential  failures,  maintenance  per- 
sonnel also  inspect  most  hidden-function  items  for  functional  failures. 
Thus  the  operating  crew  and  the  maintenance  crew  complement  one 
another  as  failure  observers. 

VERIFICATION  OF  FAILURES 

Operating  crews  occasionally  report  conditions  which  appear  unsatis- 
factory to  them,  but  which  are  actually  satisfactory  according  to  the 
defined  standards  for  condition  and  performance.  This  is  a basic  prin- 
ciple of  prevention.  The  operating  crew  cannot  always  know  when  a 
particular  deviation  represents  a potential  failure,  and  in  the  interests 
of  safety  the  crew  is  required  to  report  anything  questionable.  In  most 
airlines  the  operating  crew  can  communicate  directly  with  a central 
group  of  maintenance  specialists,  or  controllers,  about  any  unusual  con- 
ditions observed  during  flight.  The  controllers  can  determine  the  con- 
sequences of  the  condition  described  to  them  and  advise  the  crew 
whether  to  land  as  soon  as  possible  or  continue  the  flight,  with  or  with- 
out operating  restrictions.  The  controllers  are  also  in  a position  to  deter- 
mine whether  the  condition  should  be  corrected  before  the  plane  is 
dispatched  again.  This  advice  is  particularly  important  when  a plane  is 
operating  into  a station  which  is  not  a maintenance  station. 

Once  the  plane  is  available  for  maintenance  inspection,  the  main- 
tenance crew  is  in  a better  position  to  diagnose  the  problem  and  deter- 
mine whether  a failure  condition  actually  does  exist.  Thus  the  suspect 
item  may  be  replaced  or  repaired  or  marked  "OK  for  continued  opera- 
tion." The  fact  that  failure  observers  have  different  frames  of  reference 
for  interpreting  the  conditions  they  see  often  makes  it  difficult  to  evalu- 
ate failure  reports.  For  example,  a broken  seat  recliner  is  recognizable 
22  theory  and  PRINCIPLES  to  any  observer  as  a failure.  Frequently  a passenger  will  notice  the  con- 
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dition  first  and  complain  about  it  to  the  flight  attendant.  The  line 
mechanic  at  the  next  maintenance  station  will  take  corrective  action, 
usually  by  replacing  the  mechanism  and  sending  the  failed  unit  to  the 
maintenance  base,  where  the  shop  mechanic  will  record  the  failure  and 
make  the  repair.  In  this  case  all  four  types  of  observer  would  have  no 
difficulty  recognizing  the  failure. 

The  situation  is  somewhat  different  with  an  in-flight  engine  shut- 
down as  a result  of  erratic  instrument  readings.  Although  the  passen- 
gers would  not  be  aware  that  a failure  had  occurred,  the  operating  crew 
would  report  an  engine  failure.  However,  the  line  mechanic  might  dis- 
cover that  the  failure  was  in  the  cockpit  instruments,  not  the  engine.  He 
would  then  replace  the  faulty  instrument  and  report  an  instrument  fail- 
ure. Thus  the  crew  members  are  the  only  ones  in  a position  to  observe 
the  failure,  but  they  are  not  in  a position  to  interpret  it.  Under  other 
circumstances  the  situation  may  be  reversed.  For  example,  on  certain 
engines  actual  separation  of  the  turbine  blades  — a functional  failure  — 
is  preceded  by  a perceptible  looseness  of  one  or  more  blades  in  their 
mounts.  If  the  blades  separate,  both  the  operating  crew  and  the  passen- 
gers may  become  abrubtly  aware  of  the  functional  failure,  but  since 
the  engine  functions  normally  with  loose  blades,  neither  crew  nor 
passengers  have  any  reason  to  suspect  a potential  failure.  In  this  case 
the  crew  members  might  be  able  to  interpret  the  condition  as  a poten- 
tial failure,  but  they  are  not  in  a position  to  observe  it. 

The  line  mechanic  who  inspects  the  engine  as  part  of  scheduled 
maintenance  will  check  for  loose  blades  by  slowly  rotating  the  turbine 
assembly  and  feeling  the  blades  with  a probe  (typically  a length  of  stiff 
rubber  or  plastic  tubing).  If  he  finds  any  loose  blades,  he  will  report  a 
failure  and  remove  the  engine.  The  mechanics  in  the  engine-repair  shop 
are  in  an  even  better  position  for  detailed  observation,  since  they  must 
go  inside  the  engine  case  to  get  at  the  faulty  blades.  (On  occasion  they 
may  be  the  first  to  observe  loose  blades  in  an  engine  removed  for  other 
reasons.)  If  they  Confirm  the  line  mechanic's  diagnosis,  they  will  report 
the  failure  as  verified. 

Of  course,  the  situation  is  not  always  this  clear  cut.  Often  there  are 
no  precise  troubleshooting  methods  to  determine  exactly  which  com- 
ponent or  part  is  responsible  for  a reported  malfunction.  Under  these 
circumstances  the  line  mechanic  will  remove  several  items,  any  one  of 
which  might  have  caused  the  problem.  This  practice  is  sometimes 
referred  to  as  "shotgun"  troubleshooting.  Many  of  these  suspect  items 
will  show  normal  performance  characteristics  when  they  are  tested  at 
the  maintenance  base.  Thus,  although  they  are  reported  as  failures  at 
the  time  they  are  removed  from  the  equipment,  from  the  shop  mechan- 
ic's frame  of  reference  they  are  unverified  failures.  By  the  same  token, 
differences  between  the  testing  environment  and  the  field  environment 
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will  sometimes  result  in  unverified  failures  for  items  that  are  actually 
suffering  functional  failures  in  the  field. 

Units  removed  from  equipment  either  as  potential  failures  or  be- 
cause of  malfunctions  are  termed  premature  removals.  This  term  came 
into  use  when  most  equipment  items  had  a fixed  operating-age  limit. 
A unit  removed  when  it  reached  this  limit  was  "time-expired,"  whereas 
one  removed  because  it  had  failed  (or  was  suspected  of  having  failed) 
before  this  age  limit  was  a "premature"  removal. 

INTERPRETING  FAILURE  DATA 

The  problem  of  interpreting  failure  data  is  further  complicated  by  dif- 
ferences in  reporting  policy  from  one  organization  to  another.  For 
example,  one  airline  might  classify  an  engine  removed  because  of  loose 
turbine  blades  as  a failure  (this  classification  would  be  consistent  with 
our  definition  of  a potential  failure).  This  removal  and  all  others  like  it 
would  then  be  counted  as  failures  in  all  failure  data.  Another  airline 
might  classify  such  removals  as  "precautionary,"  or  even  as  "sched- 
uled" (having  discovered  a potential  failure,  they  would  then  schedule 
the  unit  for  removal  at  the  earliest  opportunity).  In  both  these  cases  the 
removals  would  not  be  reported  as  failures. 

Similar  differences  arise  as  a result  of  varying  performance  require- 
ments. The  inability  of  an  item  to  meet  some  specified  performance 
requirement  is  considered  a functional  failure.  Thus  functional  failures 
(and  also  potential  failures)  are  created  or  eliminated  by  differences  in 
the  specified  limits;  even  in  the  same  piece  of  equipment,  what  is  a 
failure  to  one  organization  will  not  necessarily  be  a failure  to  another. 
These  differences  exist  not  only  from  one  organization  to  another,  but 
within  a single  organization  over  a long  calendar  period.  Procedures 
change,  or  failure  definitions  are  revised,  and  any  of  these  changes  will 
result  in  a change  in  the  reported  failure  rate. 

Another  factor  that  must  be  taken  into  account  is  the  difference  in 
orientation  between  manufacturers  and  users.  On  one  hand,  the  oper- 
ating organization  tends  to  view  a failure  for  any  reason  as  undesirable 
and  expects  the  manufacturer  to  improve  the  product  to  eliminate  all 
such  occurrences.  On  the  other  hand,  the  manufacturer  considers  it  his 
responsibility  to  deliver  a product  capable  of  performing  at  the  war- 
ranted reliability  level  (if  there  is  one)  under  the  specific  stress  condi- 
tions for  which  it  was  designed.  If  it  later  develops  that  the  equipment 
must  frequently  be  operated  beyond  these  conditions,  he  will  not  want 
to  assume  responsibility  for  any  failures  that  may  have  been  caused  or 
accelerated  by  such  operation.  Thus  manufacturers  tend  to  "censor" 
the  failure  histories  of  operating  organizations  in  light  of  their  indi- 
vidual operating  practices.  The  result  is  that  equipment  users,  with 
some  confusion  among  them,  talk  about  what  they  actually  saw,  while 
24  THEORY  AND  PRINCIPLES  the  manufacturer  talks  about  what  they  should  have  seen. 
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2*3  THE  CONSEQUENCES  OF  FAILURE 


While  failure  analysis  may  have  some  small  intrinsic  interest  of  its  own, 
the  reason  for  our  concern  with  failure  is  its  consequences.  These  may 
range  from  the  modest  cost  of  replacing  a failed  component  to  the  pos- 
sible destruction  of  a piece  of  equipment  and  the  loss  of  lives.  Thus  all 
reliability-centered  maintenance,  including  the  need  for  redesign,  is 
dictated,  not  by  the  frequency  of  a particular  failure,  but  by  the  nature 
of  its  consequences.  Any  preventive-maintenance  program  is  therefore 
based  on  the  following  precept: 


The  consequences  of  a failure  determine  the  priority  of  the  maintenance 
activities  or  design  improvement  required  to  prevent  its  occurrence. 


The  more  complex  any  piece  of  equipment  is,  the  more  ways  there  are 

in  which  it  can  fail.  All  failure  consequences,  however,  can  be  grouped 

in  the  following  four  categories: 

► Safety  consequences,  involving  possible  loss  of  the  equipment  and 
its  occupants 

► Operational  consequences,  which  involve  an  indirect  economic 
loss  as  well  as  the  direct  cost  of  repair 

► Nonopera tional  consequences,  which  involve  only  the  direct  cost  of 
repair 

► Hidden-failure  consequences,  which  have  no  direct  impact,  but 
increase  the  likelihood  of  a multiple  failure 

SAFETY  CONSEQUENCES 

The  first  consideration  in  evaluating  any  failure  possibility  is  safety: 


Does  the  failure  cause  a loss  of  function  or  secondary  damage  that  could 
have  a direct  adverse  effect  on  operating  safety? 


Suppose  the  failure  in  question  is  the  separation  of  a number  of 
turbine  blades  on  an  aircraft  engine,  causing  the  engine  to  vibrate 
heavily  and  lose  much  of  its  thrust.  This  functional  failure  could  cer- 
tainly affect  the  safety  of  a single-engine  aircraft  and  its  occupants, 
since  the  loss  of  thrust  will  force  an  immediate  landing  regardless  of 
the  terrain  below.  Furthermore,  if  the  engine  is  one  whose  case  cannot 
contain  ejected  blades,  the  blades  may  be  thrown  through  the  engine 
case  and  cause  unpredictable,  and  perhaps  serious,  damage  to  the 


safety  consequences 
operational  consequences 
nonoperational  consequences 
hidden- failure  consequences 
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plane  itself.  There  is  also  danger  from  hot  gases  escaping  from  the 
tom  engine  case.  In  a multiengine  plane  the  loss  of  thrust  would  have 
no  direct  effect  on  safety,  since  the  aircraft  can  maintain  altitude  and 
complete  its  flight  with  one  engine  inoperative.  Hence  the  loss  df  func- 
tion is  not  in  itself  cause  for  alarm.  However,  both  plane  and  passengers 
will  still  be  endangered  by  the  possible  secondary  damage  caused  by 
the  ejected  blades.  In  this  case,  therefore,  the  secondary  effects  are 
sufficient  reason  to  classify  the  failure  as  critical. 

A critical  failure  is  any  failure  that  could  have  a direct  effect  on 
safety.  Note,  however,  that  the  term  direct  implies  certain  limitations. 
The  impact  of  the  failure  must  be  immediate  if  it  is  to  be  considered 
direct;  that  is,  the  adverse  effect  must  be  one  that  will  be  felt  before 
planned  completion  of  the  flight.  In  addition,  these  consequences  must 
result  from  a single  failure,  not  from  some  combination  of  this  failure 
with  one  that  has  not  yet  occurred.  An  important  fact  follows  from  this: 

► All  critical  failures  will  be  evident  to  the  operating  crew.  If  a failure 
has  no  evident  results,  it  cannot,  by  definition,  have  a direct  effect 
on  safety. 

It  may  be  necessary  to  remove  a plane  from  service  to  correct  certain 
failures  before  continuing  operation,  and  in  some  cases  it  may  even  be 
advisable  to  discontinue  the  flight.  However,  as  long  as  the  failure  itself 
has  no  immediate  safety  consequences,  the  need  for  these  precaution- 
ary measures  does  not  justify  classifying  this  failure  as  critical. 

Not  every  critical  failure  results  in  an  accident;  some  such  failures, 
in  fact,  have  occurred  fairly  often  with  no  serious  consequences.  How- 
ever, the  issue  is  not  whether  such  consequences  are  inevitable,  but 
whether  they  are  possible.  For  example,  the  secondary  effects  associated 
with  ejected  turbine  blades  are  unpredictable.  Usually  they  do  not 
injure  passengers  or  damage  a vital  part  of  the  plane  — but  they  can. 
Therefore  this  failure  is  classified  as  critical.  Similarly,  any  failure 
that  causes  an  engine  fire  is  critical.  Despite  the  existence  of  fire- 
extinguishing systems,  there  is  no  guarantee  that  a fire  can  be  con- 
trolled and  extinguished.  Safety  consequences  are  always  assessed  at 
the  most  conservative  level,  and  in  the  absence  of  proof  that  a failure 
cannot  affect  safety,  it  is  classified;  by  default  as  critical. 

In  the  event  of  any  critical  failure,  every  attempt  is  made  to  prevent 
a recurrence.  Often  redesign  of  one  or  more  vulnerable  items  is  neces- 
sary, However,  the  design  and  manufacture  of  new  parts  and  their  sub- 
sequent incorporation  in  in-service  equipment  takes  months,  and 
sometimes  years.  Hence  some  other  action  is  needed  in  the  meantime. 
In  the  case  of  turbine-blade  failure  an  identifiable  physical  condition  — 
loose  blades  — has  been  found  to  occur  well  in  advance  of  actual  sepa- 
ration of  the  blades.  Thus  regular  inspection  for  this  condition  as  part 
of  scheduled  maintenance  makes  it  possible  to  remove  engines  at  the 


potential-failure  stage,  thereby  forestalling  all  critical  functional  fail- 
ures. Note  that  this  preventive-maintenance  task  does  not  prevent 
failures;  rather,  by  substituting  a potential  failure  for  a functional  fail- 
ure, it  precludes  the  consequences  of  a functional  failure. 

OPERATIONAL  CONSEQUENCES 

Once  safety  consequences  have  been  ruled  out,  a second  set  of  conse- 
quences must  be  considered: 

Does  the  failure  have  a direct  adverse  effect  on  operational  capability? 

Whenever  the  need  to  correct  a failure  disrupts  planned  operations,  the 
failure  has  operational  consequences.  Thus  operational  consequences 
include  the  need  to  abort  an  operation  after  a failure  occurs,  the  delay 
or  cancellation  of  other  operations  to  make  unanticipated  repairs,  or 
the  need  for  operating  restrictions  until  repairs  can  be  made.  (A  critical 
failure  can,  of  course,  be  viewed  as  a special  case  of  a failure  with  opera- 
tional consequences.)  In  this  case  the  consequences  are  economic:  they 
represent  the  imputed  cost  of  lost  operational  capability. 

A failure  tnat  requires  immediate  correction  does  not  necessarily 
have  operational  consequences.  For  example,  if  a failed  item  on  an  air- 
craft can  be  replaced  or  repaired  during  the  normal  transit  time  at  a line 
station,  then  it  causes  no  delay  or  cancellation  of  subsequent  flights, 
and  the  only  economic  consequence  is  the  cost  of  corrective  mainte- 
nance. In  contrast,  the  plane  may  be  operational,  but  its  reduced  capa- 
bility will  result  in  such  costs  as  high  fuel  consumption.  The  definition 
of  operational  consequences  will  therefore  vary  from  one  operating 
context  to  another.  In  all  cases,  however,  the  total  cost  of  an  operational 
failure  includes  the  economic  loss  resulting  from  the  failure  as  well  as 
the  cost  of  repairing  it.  If  a failure  has  no  operational  consequences,  the 
cost  of  corrective  m ;.n.<r*ance  is  still  incurred,  but  this  is  the  only  cost. 

If  a potential  failure  such  as  loose  turbine  blades  were  discovered 
while  the  plane  ’ xrvice,  " dme  required  to  remove  this  engine 
and  install  a ” : v one  would  .n.olve  operational  consequences.  How- 
ever, inspection.  *.•  this  potential  failure  can  be  performed  while  the 
plane  is  out  of  service  for  scheduled  maintenance.  In  this  case  there  is 
ample  time  to  remove  and  replace  any  failed  engines  (potential  failures) 
without  disrupting  planned  operations. 

NONOPERATIONAL  CONSEQUENCES 

There  are  many  kinds  of  functional  failures  that  have  no  direct  adverse 
effect  on  operational  capability.  One  common  example  is  the  failure  of 
a navigation  unit  in  a plane  equipped  with  highly  redundant  naviga- 
tion system.  Since  other  units  avad.  ty  of  the  required  func- 
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replaced  at  some  convenient  time.  Thus  the  costs  generated  by  such  a 
failure  are  limited  to  the  cost  of  corrective  maintenance. 

As  we  have  seen,  potential  failures  also  fall  in  this  category.  The 
purpose  of  defining  a potential  failure  that  can  be  used  to  preempt  a 
functional  failure  is  to  reduce  the  failure  consequences  in  as  many  cases 
as  possible  to  the  level  of  direct  cost  of  replacement  and  repair. 

HIDDEN-FAILURE  CONSEQUENCES 

Another  important  class  of  failures  that  have  no  immediate  conse- 
quences consists  of  failures  of  hidden-function  items.  By  definition, 
hidden  failures  can  have  no  direct  adverse  effects  (if  they  did,  the 
failure  would  not  be  hidden).  However,  the  ultimate  consequences  can 
be  major  if  a hidden  failure  is  not  detected  and  corrected.  Certain 
elevator-control  systems,  for  example,  are  designed  with  concentric 
inner  and  outer  shafts  so  that  the  failure  of  one  shaft  will  not  result  in 
any  loss  of  elevator  control.  If  the  second  shaft  were  to  fail  after  an 
undetected  failure  of  the  first  one,  the  result  would  be  a critical  failure. 
In  other  words,  the  consequence  of  any  hidden-function  failure  is  in- 
creased exposure  to  the  consequences  of  a multiple  failure. 


2-4  MULTIPLE  FAILURES 

Failure  consequences  are  often  assessed  in  terms  of  a sequence  of  inde- 
pendent events  leading  to  a multiple  failure,  since  several  successive 
failures  may  result  in  consequences  that  no  one  of  the  failures  would 
produce  individually.  The  probability  of  a multiple  failure  is  simple  to 
calculate.  Suppose  items  A and  B in  Exhibit  2.1  both  have  a probability 
of  0.99  of  surviving  a given  two-hour  flight  (this  would  correspond  to 
one  failure  per  100  flights,  which  is  in  fact  a very  high  failure  rate).  If 
items  A and  B are  both  functioning  at  takeoff  time,  there  are  only  four 
possible  outcomes:  ' 

► Item  A survives  and  item  B survives:  P = 0.f?9  X 0.99  = 0.9801 

► Item  A survives  and  item  B fails:  P = 0.99  X 0.01  = 0.0099 

► Item  A fails  and  item  B survives:  P = 0.01  X 0.99  = 0.0099 

► Item  A fails  and  item  B fails:  P = 0.01  X 0.01  = 0.0001 

In  other  words,  the  probability  that  A and  B will  both  fail  during  the 
same  flight  is  only  0.0001,  or  an  average  of  once  in  10,000  flights.  If  we 
were  considering  a multiple  failure  of  three  items,  the  average  occur- 
rence, even  with  the  high  failure  rate  we  have  assumed  here,  would  be 
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evaluation  of  multiple-failure 
consequences 


EXHIBIT  2*1  1 rce  diagram  showing  the  probability  of  a multiple 

failure  of  two  items  during  the  same  flight  when  both  items  are 
serviceable  at  takeoff. 


Note  the  dtfferqnce,  however,  if  item  A is  in  a failed  state  when 
the  flight  begins.  The" probability  that  B will  fail  is  .01;  thus  the  prob- 
ability of  a multiple  failure  of  A and  B depends  only  on  the  probability 
of  the  second  failure— .01,  or  an  average  of  one  occurrence  every  100 
flights.  This  becomes  a matter  of  concern  if  the  combination  has  critical 
consequences.  Because  of  the  increased  probability  of  a multiple  failure, 
hidden-function  items  are  placed  in  a special  category,  and  all  such 
items  that  are  not  subject  to  other  maintenance  tasks  are  scheduled  for 
failure-finding  tasks.  Although  this  type  of  task  is  intended  to  discover, 
rather  than  to  preyent,  hidden  failures,  it  can  be  viewed  as  preventive 
maintenance  because  one  of  its  objectives  is  to  reduce  exposure  to  a 
possible  multiple  failure. 

To  illustrate  how  the  consequences  of  a multiple  failure  might  be 
evaluated,  consider  a sequence  of  failures  all  of  which  are  evident.  If 
the  first  failure  has  safety  consequences,  there  is  no  need  to  assess  the 
consequences  of  a second  failure.  This  first  critical  failure  is  the  sole 
concern,  and  every  effort  is  made  to  prevent  its  occurrence.  When  the 
first  loss  of  function  is  not  critical,  then  the  consequences  of  a second 
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failure  j failure  failure  failure 

Critical  J, 

Operational  Critical 

Nonopmtional  Operational  Critical 


•fleet  on  previous 
ftihiree  in  sequence 


The  (critical  nature  of  the  firet 
failure  supersedes  the  consequences 
of  a possible  second  failure. 

A second  failure  would  be  critical) 
the  firet  failure  must  be  corrected 
before  further  dispatch  and  there* 
fore  has  operational  consequences. 

A third  failure  would  be  eriticsl; 
the  second  failure  must  be  cot* 
rected  before  further  diapetch, 
but  correction  of  die  first  failure 
can  be  deferred  to  a convenient 
time  and  location. 


Nonoperational  Nonopantlonal 


Operational  Critical  A fourth  failure  would  be  critical; 

the  third  failure  must  be  corrected 
before  further  dispatch,  but  correc- 
tion of  both  the  first  and  second 
failures  can  be  deferred. 


EXHIBIT  2*2  The  consequences  of  a single  failure  as  determined  by 
the  consequences  of  a possible  multiple  failure.  A failure  that  does 
not  in  itself  affect  operating  capability  acquires  operational 
consequences  if  a subsequent  multiple  failure  would  be  critical. 


loss  of  function  must  be  investigated.  If  the  combined  effect  of  both 
failures  would  jeopardize  safety,  then  this  multiple  failure  must  be 
prevented  by  correcting  the  first  failure  as  soon  as  possible.  This  may 
entail  an  unscheduled  landing  and  will  at  least  require  taking  the 
equipment  out  of  service  until  the  condition  has  been  repaired.  In  this 
case,  therefore,  the  first  failure  has  operational  consequences. 

Note  in  Exhibit  2,2  that  multiple-failure  consequences  need  be 
assessed  only  in  terms  of  two  successive  failure  events.  If  a third  loss 
of  function  would  be  critical,  the  second  failure  has  operational  con- 
sequences. However,  the  first  failure  in  such  a sequence  can  be  deferred 
to  a convenient  time  and  place;  thus  it  has  no  operational  consequences. 
Hidden-funcHon  failures  are  assessed  on  the  same  basis.  If  the  first 
failure  under  consideration  is  a hidden  one,  scheduled  maintenance  is 
necessary  to  protect  against  a multiple  failure.  The  intensity  of  this 
maintenance,  however,  is  dictated  by  the  consequences  of  the  possible 
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would  be  critical,  every  effort  is  made  to  ensure  that  the  hidden  func- 
tion will  be  available. 

What  we  are  doing,  in  effect,  is  treating  any  single  failure  as  the 
first  in  a succession  of  events  that  could  lead  to  a critical  multiple  fail- 
ure. It  is  this  method  of  assessing  failure  consequences  that  permits  us 
to  base  a maintenance  program  on  the  consequences  of  single  failures. 


2*5  THE  FAILUkE  PROCESS 

FAILURE  IN  SIMPLE  ITEMS  failure  in  simple  items 

One  reason  for  identifying  unsatisfactory  conditions  at  the  potential-  * model  of  the  failure  process 

failure  stage  is  to  prevent  the  more  serious  consequences  of  a functional  ,he  *«e  at  faUure 

failure.  Another  reason,  however,  is  that  the  removal  of  individual  unit* 
on  the  basis  of  their  condition  makes  it  possible  to  realize  most  of  the 
useful  life  of  each  unit.  To  see  how  this  procedure  works,  consider  a 
simple  item  such  as  the  airplane  tire  in  Exhibit  2.3.  Although  a tire  has 
other  functions,  here  we  are  concerned  with  its  retread  capability. 

Hence  we  have  defined  a functional  failure  as  the  point  at  which  the 

EXHIBIT  2 • 3 Tire  tread  wear  as  an  illustration  of  the  failure  process 
in  a simple  item.  The  potential- failure  condition  is  defined  in  this 
case  as  the  tread  depth  at  point  ,4.  At  point  B,  when  the  tire  is  smooth, 
it  can  still  be  removed  as  a potential  failure,  but  if  wear  continues  to 
point  C the  carcass  will  no  longer  be  suitable  for  retreading,  and  the 
loss  of  this  function  will  constitute  a functional  failure. 


Exposure  (number  of  landings) 
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EXHIBIT  2 '4  The  use  of  potential  failures  to  prevent  functional 
failures.  When  tread  depth  reaches  the  potential-failure  stage,  the 
tire  is  removed  and  retreaded  (recapped).  This  process  restores  the 
original  tread,  '.od  hence  the  original  failure  resistance,  so  that 
the  tire  never  reaches  the  functional-failure  stage. 


carcass  plies  are  exposed  so  that  the  carcass  is  no  longer  suitable  for 
retreading.  The  remaining  tread  is  thus  the  tire's  resistance  to  failure  at 
any  given  moment.  The  stresses  to  which  the  tire  is  subjected  during 
. each  landing  reduce  this  resistance  by  some  predictable  amount,  and 

the  number  of  landings  is  a measure  of  the  total  exposure  to  stress.  With 
increasing  exposure  in  service,  the  failure  resistance  is  gradually  re- 
duced until  eventually  there  is  a functional  failure— visible  plies. 

Because  the  reduction  in  failure  resistance  is  visible  and  easily 
measured,  it  is  usual  maintenance  practice  to  define  a potential  failure 
as  some  wear  level  just  short  of  this  failure  point.  The  tires  are  inspected 
periodically,  usually  when  the  aircraft  is  out  of  service,  and  any  tire 
worn  beyond  the  specified  level  is  replaced.  To  allow  for  periodic 
inspections,  the  condition  we  choose  as  the  potential-failure  stage 
must  not  be  too  close  to  the  functional-failure  condition;  that  is,  there 
must  be  a reasonable  interval  in  which  to  detect  the  potential  failure 
and  take  action.  Conversely,  setting  the  potential-failure  limit  too  high 
would  mean  replacing  tires  that  still  had  substantial  useful  life. 

Once  the  optimum  potential-failure  level  has  been  defined,  inspec- 
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tread  wear  over  a given  number  of  landings.  Exhibit  2.4  shows  a smooth 
tread  noticed  at  inspection  5.  At  this  point  the  tire  is  replaced,  and  if 
its  carcass  is  sound,  it  will  be  retreaded.  Retreading  restores  the  original 
tread,  and  hence  the  original  resistance  to  failure,  and  a new  service 
cycle  begins. 

Failure  resistance,  as  we  are  using  the  concept  here,  is  somewhat 
analogous  to  the  structural  engineering  practice  of  determining  the 
stresses  imposed  by  an  applied  load  and  then  addir.g  a safety  factor  to 
determine  the  design  strength  of  a structural  member.  The  difference 
between  the  applied  load  and  the  design  strength  is  then  the  resistance 
to  failure.  The  same  principle  extends  to  servicing  and  lubrication 
requirements,  for  example,  where  a specified  oil  quantity  or  lubrication 
film  represents  a resistance  to  functional  failure.  Similarly,  loose  turbine 
blades  are  taken  as  a marked  reduction  in  failure  resistance.  The  ,s  a 
subtle  difference,  however,  between  this  latter  situation  and  _■  tire 
example.  In  the  case  of  the  tire  the  decline  in  failure  resistance  is  visible 
and  the  approximate  unit  of  stress  (average  tread  wear  per  landing)  is 
known.  In  the  case  of  turbine  blades  the  unit  of  stress  is  unknown  and 
the  decline  in  failure  resistance  is  not  apparent  until  the  resistance  has 
become  quite  low. 

A MODEL  Of  THE  FAILURE  PROCESS 

So  far  we  have  discussed  a reduction  in  failure  resistance  that  is  evi- 
denced by  some  visible  condition.  The  more  general  failure  process 
involves  a direct  interaction  between  stress  and  resistance,  as  shown 
in  Exhibit  2.5.  The  measure  of  exposure  may  be  calendar  time,  total 
operating  hours,  or  number  of  flight  or  landing  cycles,  depending  on 
the  item.  Because  the  measurable  events  occur  over  time,  it  is  common 
to  refer  to  total  exposure  as  the  agt  of  an  item.  Possible  measures  for  the 
stress  scale  are  even  more  varied.  Stresses  may  include  temperature  and 
atmospheric  conditions,  vibration,  abrasion,  peak  loads,  or  some  com- 
bination of  these  factors.  It  is  often  impossible  to  separate  all  the  stress 
factors  that  may  affect  an  item;  hence  exposure  to  stress  is  usually  gen- 
eralized to  include  all  the  stresses  to  which  the  item  is  subjected  in  a 
given  operating  context. 

The  primary  age  measure  for  most  aircraft  equipment  is  operating 
hours,  usually  "off-to-on"  (takeoff  to  landing)  flying  hours.  Some  failure 
modes,  however,  are  related  to  the  number  of  ground-air-ground  stress 
cycles,  and  in  these  cases  age  is  measured  as  number  of  landings  or 
flight  cycles.  Flight  cycles  are  important,  for  example,  in  determining 
the  number  of  stress  cycles  experienced  by  the  aircraft  structure  and 
landing  gear  during  landing.  They  are  also  of  concern  for  powerplants. 

Engines  undergo  much  more  stress  during  takeoff  and  climb  than  dur- 
ing cruise,  and  an  engine  that  experiences  more  takeoffs  in  the  same 

number  of  operating  hours  will  deteriorate  more  rapidly.  section  2*5 
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EXHIBIT  2’S  Generalized  model  of  the  failure  process.  Resistance 
to  failure  is  assumed  to  decline  steadily  with  exposure  to  stress, 
measured  over  time  as  operating  age,  flight  cycles,  and  so  on. 

A functional  failure  occurs  when  the  amount  of  stress  exceeds  the 
remaining  failure  resistance.  In  reality  both  stress  and  resistance 
can  fluctuate,  so  that  there  is  no  way  to  predict  the  exact  age  at 
which  the  failure  point  will  be  reached. 


For  this  reason  all  aircraft  equipment  is  monitored  in  terms  of  both 
operating  hours  and  flight  cycles,  usually  on  the  basis  of  total  flying 
time  and  total  flight  cycles  for  the  entire  aircraft.  Thus  if  an  engine  is 
installed  in  a plane  that  has  accumulated  1,000  operating  hours  and  is 
removed  at  1,543  hours,  the  engine  has  aged  543  hours  since  installa- 
tion. If  that  engine  was  300  hours  old  when  it  was  installed,  its  age  at 
removal  is  843  hours. 

Some  military  aircraft  are  equipped  with  acceleration  recorders 
which  also  monitor  the  number  of  times  the  structure  is  stressed  beyond 
a certain  number  of  G's  during  operation.  The  loads  can  be  counted  and 
converted  to  an  equivalent  number  of  flight  hours  at  the  plane's  de- 
signed operating  profile.  Like  operating  hours  or  flight  cycles,  these 
"spectrum  hours"  provide  a basis  for  estimating  the  reduction  in  resis- 
tance to  a particular  failure  mode. 

A functional  failure  occurs  when  the  stress  and  resistance  curves 
intersect— tha;  is,  when  the  stress  exceeds  the  remaining  resistance 
to  failure.  Either  of  these  curves  may  take  a variety  of  different  shapes, 
and  the  point  at  which  they  intersect  will  vary  accordingly  (see  Exhibit 
2.6).  Until  they  do  intersect,  however,  no  functional  failure  occurs.  In 
practice  this  failure  model  can  be  applied  only  to  simple  items  — those 
subject  to  only  one  or  a very  few  failure  modes  — and  to  individual 
34  THEORY  AND  PRINCIPLES  failure  modes  in  complex  items.  The  reason  for  such  a limitation  be- 


comes  apparent  if  we  consider  some  of  the  variables  in  just  a single 
failure  mode. 

THE  ACE  AT  FAILURE 

Our  examples  thus  far  imply  that  any  given  component,  such  as  a 
tire,  has  a well-defined  initial  resistance  to  failure  and  that  the  rate  of 
decline  in  this  resistance  is  more  or  less  known  and  predictable.  It  follows 
that  the  time  of  failure  should  be  predictable.  In  reality,  however,  even 
nominally  identical  parts  will  vary  both  in  their  initial  failure  resistance 
and  in  the  rate  at  which  this  resistance  declines  with  age.  Suppose  we 
have  two  nominally  identical  units  of  a simple  item,  or  perhaps  two 
identical  parts  in  a complex  item.  To  simplify  matters  further,  let  us  say 
they  are  exposed  to  only  one  type  of  stress  and  are  subject  to  only  one 
type  of  failure.  On  this  basis  we  might  expect  their  failure  resistance  to 
decline  at  the  same  rate  and  therefore  expect  both  units  to  fail  at  approx  - 


EXHIBIT  2'6  Variability  of  stress,  failure  resistance,  and  the  age 
at  failure.  In  example  A the  resistance  remains  constant  over  time, 
but  a sudden  peak  in  stress  causes  failure  to  occur.  In  B the  stress 
and  resistance  curves  do  not  intersect,  but  the  peak  in  stress  has 
permanently  lowered  the  remaining  failure  resistance.  In  C the 
reduction  in  failure  resistance  caused  by  the  peak  stress  is  temporary. 
In  D the  peak  stress  has  accelerated  the  rate  at  which  the  remaining 
resistance  will  decline  with  age. 
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EXHIBIT  2*7  The  difference  in  failure  age  of  two  nominally  identical 
parts  subjected  to  similar  stress  patterns.  The  two  units  begin  their 
service  lives  with  comparable  initial  resistance  to  failure,  but  unit  B 
is  exposed  to  greater  stress  peaks  and  reacts  to  them  consistently. 

Unit  A behaves  less  accountably;  its  resistance  is  unaffected  by  stress 
peaks  at  600  and  1,120  hours  but  declines  rapidly  between  1,200  and 
1,300  hours.  As  a result,  one  unit  fails  at  850  hours  and  the  other  at 
1,300  hours. 

imately  the  same  age.  However,  all  manufactured  components  are 
produced  to  specified  tolerance  limits,  which  results  in  a variation  in 
initial  resistance.  These  variai  ons  are  insignificant  from  a performance 
standpoint,  but  the  result  is  that  the  two  units  will  begin  their  service 
lives  with  slightly  different  capacities  to  resist  stress,  and  these  capaci- 
ties may  decline  at  somewhat  different  rates. 

Stress  also  varies  from  moment  to  moment  during  operation,  some- 
times quite  abruptly.  For  example,  the  different  loads  exerted  on  an 
aircraft  structure  by  atmospheric  turbulence  can  vary  markedly  even 
in  the  course  of  a short  flight.  Moreover,  the  effect  of  these  stresses  will 
be  further  influenced  by  the  condition  of  the  item  at  the  particular 
moment  it  is  stressed.  As  a result,  each  component  will  encounter  a dif- 
ferent stress  pattern  even  if  both  are  operating  as  part  of  the  same  sys- 
tem. Although  the  variations  in  either  stress  or  resistance  may  be  slight, 
their  interaction  can  make  a substantial  difference  in  the  length  of  time 
'*  — • a given  component  will  operate  before  failing.  Units  A and  B in  Exhibit 

2.7  aic relatively  e'ikp  in  their  initial  resistance,  and  the  stress  placed  on 
each  does  not  vary  much  from  the  constant  stress  assumed  in  the  gener- 
alized model.  However,  the  time  of  failure  is  the  point  at  which  the 
stress  and  resistance  curves  intersect;  thus  unit  B failed  at  an  age  of 
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Despite  the  variation  in  the  failure  ages  of  individual  units,  if  a 
large  number  of  nominally  identical  units  are  considered,  their  failures 
will  tend  to  concentrate  about  some  average  age.  For  purposes  of  relia- 
bility analysis,  however,  it  is  necessary  to  employ  statistical  techniques 
that  describe  the  variation  about  this  average  age. 

It  is  also  important  to  recognize  that  the  actual  age  at  failure  de- 
pends on  the  stress  the  unit  experiences.  The  wing-to-fuselage  joints 
of  an  aircraft  will  stand  up  to  normal  air  turbulence  for  a very  long  time, 
but  perhaps  not  to  the  loads  encountered  during  a tornado.  The  fan 
blades  of  a turbine  engine  can  withstand  thousands  of  hours  of  normal 
stress,  but  they  may  not  be  able  to  tolerate  the  ingestion  of  a single 
goose.  In  nearly  all  cases  random  stress  peaks  markedly  above  the  aver- 
age level  will  lower  the  failure  resistance.  This  reduction  may  be  perma- 
nent, as  when  damage  to  several  structural  members  lowers  the  failure 
resistance  of  a wing,  or  resistance  may  be  affected  only  at  the  time  the 
stress  exceeds  a certain  level.  In  some  cases  resistance  may  change  with 
each  variation  in  stress,  as  with  metal  fatigue.  From  the  standpoint  of 
preventive  maintenance,  however,  the  important  factor  is  not  a predic- 
tion of  when  an  item  is  likely  to  fail,  but  whether  or  not  the  reduction  in 
failure  resistance  can  be  identified  by  some  physical  evidence  that 
permits  us  to  recognize  an  imminent  failure. 

Many  functional  failures  are  evident  at  the  time  they  occur,  and  in 
these  cases  the  exact  age  at  failure  is  known.  Unless  a failure  is  evi- 
dent to  the  operating  crew,  however,  it  is  impossible  to  determine  pre- 
cisely when  it  occurred.  A potential  failure  detected  by  mechanics  is 
known  only  to  have  occurred  some  time  between  the  last  inspection 
and  the  inspection  at  which  it  is  observed.  Similarly,  although  there  is 
some  exact  age  at  which  a hidden  function  fails,  the  only  age  we  can 
pinpoint  is  the  time  at  which  the  failure  is  discovered.  For  this  reason 
the  age  at  failure  is  defined,  by  convention,  as  the  age  at  which  a failure 
is  observed  and  reported. 


2 • 6 FAILURE  IN  COMPLEX  ITEMS 

A complex  item  is  one  that  is  subject  to  many  different  failure  modes.  As  failure  modes 

a result,  the  failure  processes  may  involve  a dozen  different  stress  and  dominant  failure  modes 

resistance  considerations,  and  a correspondingly  tangled  graphic  repre-  failure  age  of  a complex  item 

sentation.  However,  each  of  these  considerations  pertains  to  a single 

failure  mode  — some  particular  type  or  manner  of  failure.  For  instance,  a 

bearing  in  a generator  may  wear;  this  causes  the  unit  to  vibrate,  and 

ultimately  the  bearing  will  seize.  At  this  point  the  generator  will  suffer 

a functional  failure,  since  it  can  no  longer  rotate  and  produce  electric 

power.  Generators  can  also  fail  for  other  reasons,  but  the  failure  mode 

in  this  case  is  bearing  seizure. 

Of  course,  the  bearing  itself  is  also  subject  to  more  than  one  failure  SECTION  2>6  37 


mode.  It  may  wear  as  a result  of  abrasion  or  crack  as  a result  of  excessive 
heat.  From  the  standpoint  of  the  generator  both  conditions  lead  to  the 
same  failure,  bearing  seizure.  However,  the  maintenance  analyst  must 
know  the  physical  circumstances  leading  to  a particular  failure  in  order 
to  define  an  identifiable  potential-failure  condition.  The  manufacturer 
also  needs  to  know  that  the  bearing  is  prone  to  failure  and  that  a modi- 
fication is  needed  to  improve  the  reliability  of  the  generator.  Such  a 
design  modification  is  obviously  desirable  if  one  particular  failure  mode 
is  responsible  for  a significant  proportion  of  all  the  failures  of  the  item. 
Such  failure  modes  are  called  dominant  failure  modes. 

As  with  failures  in  simple  items,  the  failure  ages  for  a single  failure 
mode  tend  to  concentrate  about  an  average  age  for  that  mode.  However, 


EXHIBIT  2*3  Experience  with  50  newly  installed  Pratt  & Whitney 
JT8D-7  engines  over  the  first  2,000  operating  hours.  The  21  units  that 
failed  before  2,000  hours  flew  a total  of  18,076  hours,  so  the  total 
operating  time  for  all  50  engines  was  18,076  hours  plus  58,000  hours 
for  the  surviving  engines,  or  76,076  hours.  The  mean  time  between 
failures  was  therefore  76,076/21,  or  3,622  hours.  The  average  age 
of  the  failed  engines,  however,  was  only  861  hours.  (United  Airlines) 
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the  average  ages  for  all  the  different  modes  will  be  distributed  along 
the  exposure  axis.  Consequently,  unless  there  is  a dominant  failure 
mode,  the  overall  failure  ages  in  complex  items  are  usually  widely  dis- 
persed and  are  unrelated  to  a specific  operating  age.  This  is  a unique 
ch,  racteristic  of  complex  items.  A typical  example  is  illustrated  in  Ex- 
hibit 2.8.  In  a sample  of  50  newly  installed  Pratt  & Whitney  JT8D-7 
engines,  29  survived  beyond  2,000  operating  hours.  The  disparate  fail- 
ure ages  of  the  21  units  that  failed,  however,  do  not  show  any  concen- 
tration about  the  average  failure  age  of  861  hours. 

Nevertheless,  even  in  complex  items,  no  matter  how  numerous  the 
failure  modes  may  be,  the  basic  failure  process  reduces  to  the  same 
facior—  the  interaction  between  stress  and  resistance  to  failure.  Whether 
failures  involve  redrr’d  resistance,  random  stress  peaks,  or  any  combi- 
nation of  the  two  -i  • interaction  that  brings  an  item  to  the  failure 
point.  This  aspc  -*  o me  failure  process  was  summed  up  in  a 1960 
United  Airlines  report:* 

The  anp  le  as  a whole,  its  basic  structure,  its  systems,  and  the 
various  items  in  it  are  operated  in  an  environment  which  causes 
stresses  to  be  imposed  upon  them.  The  magnitudes,  the  durations 
and  the  frequencies  with  which  specific  stresses  are  imposed  are 
all  very  variable.  In  many  cases,  the  real  spectrum  of  environ- 
mentally produced  stresses  is  not  known.  The  ability  to  withstand 
stress  is  also  variable.  It  differs  from  piece  to  oiece  of  new  nomi- 
nally identical  equipment  due  to  material  differences,  variations 
in  the  manufacturing  processes,  etc.  The  ability  to  withstand  stress 
may  also  vary  with  the  age  of  a piece  of  equipment. 

It  is  implied  that  an  instance  of  environmental  stress  that  ex- 
ceeds the  failure  resistance  of  an  item  at  a particular  time  consti- 
tutes failure  of  that  item  at  that  time. 


2 • 7 QUANTITATIVE  DESCRIPTIONS  OF  FAILURE 


Any  unanticipated  critical  failure  prompts  an  immediate  response  to 
prevent  repetitions.  In  other  cases,  however,  it  is  necessary  to  know 
how  frequently  an  item  is  liKely  to  fail  in  order  to  plan  for  reliable 
operation.  There  are  several  common  reliability  indexes  based  on  the 
failure  history  of  an  item.  Methods  for  deriving  certain  of  these  measures 


failure  rate 

mean  time  between  failures 
probability  of  survival 
probability  density  of  failure 
conditional  probability 
of  failure 


*F.  S.  Nowlan,  A Comparison  of  the  Potential  Effectiveness  of  Numerical  Regulatory 
Codes  in  the  Fields  of  Overhaul  Periodicity,  Airplane  Strength,  and  Airplane  Perfor- 
mance, United  Airlines  Report  POA-32,  April  14,  1960.  These  remarks  paraphrase  a report 
prepared  by  D.  J.  Davis  of  the  Rand  Corporation  in  1950,  which  offered  intensive  analysis  of 
failure  data.  For  an  excellent  detailed  discussion  of  the  physical  processes  present  in  the 
failure  mechanism,  see  Robert  P.  Haviland,  Reliability  and  Long  Life  Design,  Van  Nostrand 

Company,  Inc.,  New  York,  1964.  SECTION  2 ‘7 
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are  discussed  in  detail  in  Appendix  C,  but  it  is  helpful  at  this  point  to 
know  what  each  measure  actually  represents. 

FAILURE  RATI  ' 

The  failure  rate  is  the  total  number  of  failures  divided  by  some  measure 
of  operational  exposure.  In  most  cases  the  failure  rate  is  expressed  as 
failures  per  1,000  operating  hours.  Thus  if  six  failures  have  occurred 
over  a period  of  9,000  hours,  the  failure  rate  is  ordinarily  expressed  as 
0.667.  Because  measures  other  than  operating  hours  are  also  used  (flight 
cycles,  calendar  time,  etc.),  it  is  important  to  know  the  units  of  measure 
in  comparing  failure-rate  data. 

The  failure  rate  is  an  especially  valuable  index  for  new  equipment, 
since  it  shows  whether  the  failure  experience  of  an  item  is  representa- 
tive of  the  state  of  the  art.  It  is  also  useful  in  assessing  the  economic 
desirability  of  product  improvement.  Early  product-improvement  deci- 
sions are  based  on  the  performance  of  units  that  have  beer,  exposed  to 
fairly  short  individual  periods  of  time  in  service,  and  this  performance 
is  adequately  measured  by  the  failure  rate. 

MEAN  TIME  BETWEEN  FAILURES 

The  mean  time  between  failures,  another  widely  used  reliability  index, 
is  the  reciprocal  of  the  failure  rate.  Thus  with  six  failures  in  9,000  oper- 
ating hours,  the  mean  time  between  failures  would  be  9,000/6,  or  1,500 
hours.  This  measure  has  the  same  uses  as  the  failure  rate.  Note  that  the 
mean  time  between  failures  is  not  necessarily  the  same  as  the  average 
age  at  failure.  In  Exhibit  2.8,  for  example,  the  average  age  of  the  failed 
engines  was  861  hours,  whereas  the  mean  time  between  failures  was 
3,622  hours.* 

PROBABILITY  OF  SURVIVAL 

With  more  extended  operating  experience  it  becomes  possible  to  de- 
termine the  age-reliability  characteristics  of  the  item  under  study— the 
relationship  between  its  operating  age  and  its  probability  of  failure.  At 
this  stage  we  can  plot  a survival  curve,  showing  the  probability  of  sur- 
vival without  failure  as  a function  of  operating  age.  This  curve  relates 
directly  to  the  gener  ly  accepted  definition  of  reliability: 


Reliability  is  the  probability  that  an  item  will  survive  to  a specified  oper- 
ating age,  under  specified  operating  conditions,  without  failure. 


For  this  reason  the  survival  curve  is  commonly  referred  to  as  the  reli- 
ability function. 
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EXHIBIT  2*9  Survival  curve  for  the  Pratt  & Whitney  JT8D-7  engine 
of  the  Boeing  737,  based  on  58,432  total  operating  hours  from  May  1 
to  July  31,  1974.  The  average  life  is  computed  by  partitioning  along 
the  vertical  axis  to  form  small  incremental  areas  whose  sum 
approximates  the  area  under  the  curve.  With  an  age  limit  of  1,000 
hours,  only  the  shaded  area  enters  into  this  computation,  since  no 
engines  can  contribute  to  the  survival  curve  beyond  this  limit, 
despite  the  fact  that  they  would  have  survived  had  they  been  left  in 
service.  (United  Airlines) 


Exhibit  2.9  shows  a typical  survival  curve  for  an  aircraft  turbine 
engine.  The  curve  represents  the  percentage  of  installed  engines  that 
survived  to  the  time  shown  on  the  horizontal  axis,  and  this  is  usually 
our  best  estimate  of  the  probability  that  any  individual  engine  will 
survive  to  that  time  without  failure. 

A survival  curve  is  more  useful  than  a simple  statement  of  the 
failure  rate,  since  it  can  be  used  to  predict  the  percentage  of  units  that 
will  survive  to  some  given  age.  If  the  engines  in  Exhibit  2.9  were  sched- 
uled for  removal  at  1,000  hours,  for  example,  69  percent  of  them  would 
survive  to  that  age  limit,  whereas  31  percent  could  be  expected  to  fail 
before  then.  The  area  under  the  survival  curve  can  also  be  used  to  mea- 
sure the  average  life  of  the  item  under  consideration.  If  the  probability 
scale  is  divided  into  small  increments,  each  of  which  is  projected  to 
intersect  the  curve,  the  contribution  of  each  of  these  incremental  areas 
can  be  calculated  and  added  to  determine  the  average  life.  Thus,  the  tri- 
angle at  the  top  is  the  contribution  of  the  first  10  percent  of  the  units  that 
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fail  (90  percent  survive  beyond  this  age): 

[(age  at  P = 1)  + (age  at  P = .90)]  X 4p 

The  next  incremental  area  represents  the  contribution  to  the  average  life 
of  the  next  10  percent  of  the  units  that  fail: 


[(age  at  P — .90)  + (age  at  P — .80)]  x 

and  so  on.  Completion  of  this  computation  for  the  entire  area  under  the 
curve  would  show  that,  with  no  age  limit,  the  average  life  expected  for 
each  engine  in  service  would  be  1,811  hours. 

Note,  however,  that  an  age  limit  of  1,000  hours  removes  all  the  sur- 
viving units  from  service  at  that  age.  In  this  case,  therefore,  the  area 
under  the  curve  represents  only  the  area  up  to  that  age  limit.  The  proba- 
bility of  survival  to  1,000  hours  is  .692,  so  the  contribution  of  any  sur- 
viving unit  to  the  average  life  is  only  1,000  hours  X .692  = 692  hours. 
This  contribution,  added  to  the  incremental  contributions  above  it  for 
the  units  that  failed,  yields  an  average  realized  life  of  838  hours  for  faded 
and  unfailed  engines.  Any  engines  that  would  have  survived  to  ages 
higher  than  1,000  hours,  and  thus  have  added  to  the  average  life,  do  not 
count.  The  average  lives  that  would  be  realized  with  other  age  limits 
in  this  case  are  as  follows: 


age  limit 

1.000  hours 

2.000  hours 

3.000  hours 
No  limit 


average  realized  life 
838  hours 
1,393  hours 
1,685  hours 
1,811  hours 
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PROBABILITY  DENSITY  OF  FAILURE 

The  probability  that  an  engine  in  Exhibit  2.9  will  survive  to  1,000  hours 
is  .692,  and  the  probability  that  it  will  survive  to  1,200  hours  is  .639.  The 
difference  between  these  probabilities,  .053,  is  the  probability  of  a fail- 
ure during  this  200-hour  interval.  In  other  words,  an  average  of  5.3  out 
of  every  100  engines  that  enter  service  can  be  expected  to  fail  during  , 
this  particular  interval.  Similarly,  an  average  of  5.0  engines  can  be  ex- 
pected to  fail  during  the  interval  from  1,200  to  1,400  hours.  This  measure 
is  called  the  probability  density  of  failure. 

Exhibit  2.10  shows  the  probability  densities  for  each  200-hour 
age  interval,  plotted  from  the  probabilities  of  survival  at  each  age.  A 
decreasing  percentage  of  the  engines  will  fail  in  each  successive  age 
interval  because  a decreasing  percentage  of  engines  survives  to  enter 
that  interval. 
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EXHIBIT  2*10  Probability  density  of  failure  foi  the  Pratt  & Whitney 
JT8TJ-7  engine  of  the  Boeing  73"\  Density  values  are  plotted  at  the 
midpoint  of  each  200-hour  interval  and  represent  the  probability  that 
a failure  will  occur  during  thi . interval.  (United  Airlines) 


CONDITIONAL  PROBABILITY  OF  FAILURE 

The  most  useful  measure  of  the  age-reliability  relationship  is  the  prob- 
ability that  an  item  entering  a given  age  interval  will  fail  during  that 
interval.  This  measure  is  usually  called  the  conditional  probability  of 
failure— the  probability  of  failure,  given  the  condition  that  the  item 
enters  that  age  interval.  Sometimes  it  is  also  referred  to  as  the  hazard 
rate  or  the  local  failure  rate.*  The  conditional  probability  is  related 
to  both  the  probability  of  survival  and  the  probability  density.  For 
example,  an  engine  beginning  at  zero  time  has  a probability  of  .692  of 
reaching  the  age  of  1,000  hours;  once  it  has  reached  this  age,  the  prob- 
ability density  of  failure  in  the  next  200-hour  interval  is  .053.  Each 
engine  that  survives  to  1,000  hours  therefore  has  a conditional  proba- 
bility of  failure  between  1,000  and  1,200  hours  of  .053/.692,  or  .077.  The 
complete  conditional-probability  curve  for  this  engine  is  shown  in 
Exhibit  2.11. 

If  the  conditional  probability  of  failure  increases  with  age,  we  say 
that  the  item  shows  wearout  characteristics  and  immediately  wonder  if 
an  age  limit  would  be  effective  in  reducing  the  overall  failure  rate.  (Note 

'In  some  literature  these  terms  are  defined  in  a narrower  sense  to  mean  the  value  obtained 
by  computing  the  limit  of  the  ratio  as  the  age  interval  goes  to  zero. 
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EXHIBIT  2' II  Conditional  probability  of  failure  for  the  Pratt  & 
Whitney  JT8D-7  engine  of  the  Boeing  737.  Probability  values  are 
plotted  at  the  midpoint  of  each  200-hour  interval  and  represent  the 
average  probability  that  an  engine  that  survives  to  enter  the  interval 
will  fail  during  this  interval.  (United  Airlines) 


that  the  term  ivearout  in  this  context  describes  the  adverse  effect  of  age 
on  reliability;  it  does  not  necessarily  imply  any  evident  physical  change 
in  individual  units.)  With  an  age  limit  of  1,000  hours  the  average  real- 
ized life  of  the  engine  in  question  is  838  hours.  The  probability  that  an 
engine  will  survive  to  this  age  is  .692,  so  the  failure  rate  with  this  limit 
would  be  the  probability  of  failure  (.308)  divided  by  the  average  life, 
or  a rate  of  0.37  failures  per  1,000  hours. 

Exhibit  2.12  shows  this  failure  rate  plotted  as  a function  of  various 
age  limits.  If  the  age  limit  is  raised  from  1,000  hours  to  2,000  hours,  the 
overall  failure  rate  is  0.42,  an  increase  of  only  13.5  percent  due  to  the 
second  thousand  hours  of  operation.  However,  the  conditional  prob- 
ability of  failure  in  the  200-hour  interval  just  before  each  of  these  age 
limits  goes  up  from  .075  to  .114,  an  increase  of  52  percent.  The  rate  of 
increase  in  the  failure  rate  falls  off  with  age  because  it  depends  on  the 
conditional  probability  for  each  interval  weighted  by  the  probability  of 
survival  to  that  interval -and  there  is  a continual  reduction  in  the  sur- 
vival probability. 

What  this  means  is  that  the  effectiveness  of  an  age  limit  in  control- 
ling failure  rates  depends  not  only  on  large  increases  in  conditional 
44  theory  AND  PRINCIPLES  probability  at  higher  ages,  but  also  on  a high  probability  of  survival  to 
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EXHIBIT  2*12  Relationship  between  the  failure  rate  and  various  age 
limits  for  the  Trait  & Whitney  JT8D-7  engine  of  the  Boeing  737. 
(United  Airlines) 


those  ages.  It  follows  that  the  desirability  of  an  age  limit  on  any  item 
cannot  be  investigated  until  there  are  sufficient  operating  data  to  con- 
struct survival  and  conditional-probability  curves. 


2 • 8 AGE- RELIABILITY  CHARACTERISTICS 


At  one  time  it  was  believed  that  all  equipment  would  show  wearout 
characteristics,  and  during  the  years  when  equipment  overhaul  times 
were  being  rapidly  extended.  United  Airlines  developed  numerous 
conditional-probability  curves  for  aircraft  components  to  ensure  that 
the  higher  overhaul  times  were  not  reducing  overall  reliability.  It  was 
found  that  the  conditional-probability  curves  fell  into  the  six  basic 
patterns  shown  in  Exhibit  2.13.  Pattern  A is  often  referred  to  in  reliability 
literature  as  the  bathtub  curve.  This  type  of  cuive  has  three  identifiable 
regions: 


the  bathtub  curve 

age-reliability  relationships 
of  complex  items 

the  "life"  of  a complex  item 


► An  infant-mortality  region,  the  period  immediately  after  manufac- 
ture or  overhaul  in  which  there  is  a relatively  high  probability  of 
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EXHIBIT  2*0  Age-reliability  patterns.  In  each  case  tlir  voitic.il  axis 
represents  t lie  cnmtilion.il  pioh.il'iliH  ol  fail  ini'  a.nt  the  horizontal 
avis  represents  npeiv.lim>  age  since  in.inulaclme.  overhaul,  or  repair. 

*1  liese  six  curves  are  domed  lioin  teliabilily  analv.ses  cointutted  over  a 
nnnihci  of  ve.ns,  dining  which  al!  the  items  analyzed  were  found  to 
be  i hainclei i/ed  by  one  or  anolliei  ol  the  age  reliability  lelatiunsliips 
shown.  I lie  piixenl.iges  indicate  the  peuenlage  ol  items  studied  that 
loll  into  each  ol  tin  basic  patterns  (t’nited  Airlines) 


11%  might 
benefit  from 
a limit  on 
operating  age 


89%  cannot 
benefit  from 
a limf  t on 
operating  age 


The  bathtub  curve;  infant  mortality,  followed 
first  by  a constant  or  gradually  Increasing  failure 
probability  and  then  by  a pronounced  "wearout" 
region.  An  age  limit  may  be  desirable,  pro- 
vided a large  number  of  units  survive  to  the 
age  at  which  wearout  begins. 


Constant  or  gradually  increasing  failure  prob- 
ability, followed  by  a pronounced  wearout 
region.  Once  again,  an  age  limit  may  be  desir- 
able (this  curve  is  characteristic  of  aircraft 
reciprocating  engines). 


Gradually  increasing  failure  probability,  but 
with  no  identifiable  wearout  age.  It  is  usually 
not  desirable  to  impose  an  age  limit  in  such 
cases  (this  curve  is  characteristic  of  aircraft 
turbine  engines). 


Low  failure  probability  when  the  item  is  new 
or  Just  out  of  the  shop,  followed  by  a quick 
increase  to  a constant  level. 


Constant  probability  of  failure  at  all  ages 
(exponential  survival  distribution). 


Infant  mortality,  followed  by  a constant  or  very 
slowly  increasing  failure  probability  (partic- 
ularly applicable  to  electronic  equipment). 
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► A region  of  constant  and  relatively  low  failure  probability 

► A wearout  region,  in  which  the  probability  of  failure  begins  to  in- 
crease rapidly  with  age 

If  the  failure  pattern  of  an  item  does  in  fact  fit  this  curve,  we  are 
justified  in  concluding  that  the  overall  failure  rate  will  be  reduced  if 
some  action  is  taken  just  before  this  item  enters  the  wearout  zone.  In 
these  cases  allowing  the  item  to  age  well  into  the  wearout  region  would 
cause  an  appreciable  increase  in  the  failure  rate.  Note,  however,  that 
,uch  action  will  not  have  much  effect  on  the  overall  rate  unless  there  is 
a high  probability  that  the  item  will  survive  to  the  age  at  which  wearout 
appears. 

The  presence  of  a well-defined  wearout  region  is  far  from  uni- 
versal; indeed,  of  the  six  curves  in  Exhibit  2.13,  only  A and  B show 
wearout  characteristics.  It  happens,  however,  that  these  two  curves  are 
associated  with  a great  many  single-celled  or  simple  items  - in  the  case 
of  aircraft,  such  items  as  tires,  reciprocating-engine  cylinders,  brake 
pads,  turbine-engine  compressor  blades,  and  all  parts  of  the  airplane 
structure. 

The  relative  frequency  of  each  type  of  conditional-probability  curve 
proved  especially  interesting.  Some  89  percent  of  the  items  analyzed 
had  no  wearout  zone;  therefore  their  performance  could  not  be  im- 
proved by  the  imposition  of  an  age  limit.  In  fact,  after  a certain  age  the 
conditional  probability  of  failure  continued  on  at  a constant  rate  (curves 
D,  E,  and  F).  Another  5 percent  had  no  well-defined  wearout  zone 
(curve  C)  but  did  become  steadily  more  likely  to  fail  as  age  increased. 
For  a very  few  of  these  items  an  age  limit  might  prove  useful,  provided 
that  it  was  cost-effective. 

Only  6 percent  of  the  items  studied  showed  pronounced  wearout 
characteristics  (curves  A and  B).  Although  an  age  limit  would  be  appli- 
cable to  these  items,  as  we  have  seen,  its  effectiveness  depends  on  a 
high  probability  that  the  item  will  survive  to  that  age.  However,  the 
conditional-probability  curves  make  it  possible  to  identify  those  items 
that  might  benefit  from  such  a limit,  and  the  question  of  effectiveness 
can  then  be  investigated.  Although  it  is  often  assumed  that  the  bathtub 
curve  is  representative  of  most  items,  note  that  just  4 percent  of  the 
items  fell  into  this  pattern  (curve  A).  Moreover,  most  complex  items  had 
conditional-probability  curves  represented  by  curves  C to  F — that  is, 
they  showed  no  concentration  of  failures  directly  related  to  operating 
age. 

The  basic  difference  between  the  failure  patterns  of  complex  and 
simple  items  has  important  implications  for  maintenance.  Usually  the 
conditional-probability  curve  for  a complex  item  will  show  some  infant 
mortality;  often  the  probability  of  failure  right  after  installation  is  fairly 


SECTION  2 


high.  Usually,  also,  the  conditional-probability  curve  shows  no  marked 
point  of  increase  with  increasing  age;  the  failure  probability  may  in- 
crease gradually  or  remain  constant,  but  there  is  no  age  that  can  be 
identified  as  the  beginning  of  a wearout  zone.  For  this  reason,  unless 
1 there  is  a dominant  f ailure  mode,  an  age  limit  does  little  or  nothing  to 

improve  the  overall  reliability  of  a complex  item.  In  fact,  in  many  cases 
scheduled  overhaul  actually  increases  the  overall  failure  rate  by  intro- 
ducing a high  infant- mortality  rate  in  an  otherwise  stable  system. 

In  contrast,  single-celled  and  simple  items  frequently  do  show  a 
direct  relationship  between  reliability  and  increasing  age.  This  is  partic- 
ularly true  of  parts  subject  to  metal  fatigue  or  mechanical  wear  and 
items  designed  as  consumables.  In  this  case  an  age  limit  based  on  some 
maximum  operating  age  or  number  of  stress  cycles  may  be  highly  ef- 
fective in  improving  the  overall  reliability  of  a complex  item.  Such 
limits  in  fact  play  a major  role  in  controlling  critical- failure  modes,  since 
they  can  be  imposed  on  the  part  or  component  in  which  a given  type  of 
failure  originates. 

It  is  apparent  from  our  discussion  thus  far  that  most  statements 
about  the  "life"  of  equipment  tell  us  little  about  its  age-reliability  char- 
acteristics. For  example,  the  statement  that  an  aircraft  engine  has  a life 
of  2,000  operating  hours  might  mean  any  of  the  following: 

► No  engines  fail  before  reaching  2,000  hours. 

N No  critical  engine  failures  occur  before  2,000  hours. 

► Half  the  engines  fail  before  2,000  hours. 

► The  average  age  of  failed  engines  is  2,000  hours. 

► The  conditional  probability  of  failure  is  constant  below  2,000  hours. 

► Some  part  in  the  engine  has  a life  limit  of  2,000  hours. 

The  definition  of  reliability  is  the  probability  that  an  item  will  survive 
| a given  operating  period,  under  specified  operating  conditions,  without 

failure.  In  discussions  of  reliability,  therefore,  it  is  insufficient  to  state 
* an  operating  period  alone  as  the  "life"  of  an  item.  This  statement  has 

no  meaning  unless  a probability  of  survival  is  associated  with  it. 
i It  should  also  be  apparent  by  now  why  the  failure  rate  plays  a 

relatively  unimportant  role  in  maintenance  programs:  it  is  too  simple  a 
measure.  Although  the  frequency  of  failures  is  useful  in  making  cost 
, decisions  and  in  establishing  appropriate  intervals  for  maintenance 

j tasks,  it  tells  us  nothing  about  what  tasks  are  appropriate  or  the  con- 

sequences  that  dictate  their  objective.  The  effectiveness  of  a particular 

(maintenance  solution  can  be  evaluated  only  in  terms  of  the  safety  or 

48  THEORY  AND  PRINCIPLES  economic  consequences  it  is  intended  to  prevent.  By  the  same  token,  a 
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maintenance  task  must  be  applicable  to  the  item  in  question  in  order 
to  have  any  effect  at  all.  Hence  we  must  now  consider  the  possible  forms 
of  preventive  maintenance  and  see  how  an  understanding  of  the  failure 
process  and  the  age-reliability  characteristics  of  an  item  permit  us  to 
generate  maintenance  tasks  on  the  basis  of  explicit  criteria. 
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CHAPTER  THREE 

the  four  basic  maintenance  tasks 


RCM  PROGRAMS  consist  of  specific  tasks  selected  on  the  basis  of  the 
actual  reliability  characteristics  of  the  equipment  they  are  designed  to 
protect.  All  these  tasks  can  be  described  in  terms  of  four  basic  forms  of 
preventive  maintenance,  each  of  which  is  applicable  under  a unique 
set  of  circumstances: 

► Scheduled  inspection  of  an  item  at  regular  intervals  to  find  any 
potential  failures 

► Scheduled  rework  of  an  item  at  or  before  some  specified  age  limit 

► Scheduled  discard  of  an  item  (or  one  of  its  parts)  at  or  before  some 
specified  life  limit 

► Scheduled  inspection  of  a hidden-function  item  to  find  any  func- 
tional failures 

The  first  three  types  of  tasks  are  directed  at  preventing  single  failures 
and  the  fourth  at  preventing  multiple  failures.  Inspection  tasks  can 
usually  be  performed  without  removing  the  item  from  its  installed  posi- 
tion, whereas  rework  and  discard  tasks  generally  require  that  the  item 
be  removed  from  the  equipment  and  sent  to  a major  maintenance  base. 

The  development  of  a scheduled-maintenance  program  consists  of 
determining  which  of  these  four  tasks,  if  any,  are  both  applicable  and 
effective  for  a given  item.  Applicability  depends  on  the  failure  charac- 
teristics of  the  item.  Thus  an  inspection  for  potential  failures  can  be 
applicable  only  if  the  item  has  characteristics  that  make  it  possible  to 
define  a potential-failure  condition.  Similarly,  an  age-limit  task  will  be 
applicable  only  if  the  failures  at  which  the  task  is  directed  are  related  to 
50  theory  and  principles  age.  Effectiveness  is  a measure  of  the  results  of  the  task;  the  task  objec- 


five,  however,  depends  on  the  failure  consequences  involved.  A pro- 
posed task  might  appear  useful  if  it  promises  to  reduce  the  overall 
failure  rate,  but  it  could  not  be  considered  effective  if  the  purpose  in 
applying  it  was  to  avoid  functional  failures  altogether. 

For  inspection  tasks  the  distinction  between  applicability  and 
effectiveness  is  usually  obvious:  the  item  either  does  or  does  not  have 
characteristics  that  make  such  a task  applicable.  For  age-limit  tasks, 
however,  the  distinction  is  sometimes  blurred  by  the  intuitive  belief 
that  the  task  is  always  applicable  and  therefore  must  also  be  effective. 
In  reality  imposing  an  age  limit  on  an  item  does  not  in  itself  guarantee 
that  its  failure  rate  will  be  reduced.  The  issue  in  this  case  is  not  whether 
the  task  can  be  done,  but  whether  doing  it  will  in  fact  improve  reliability. 


3 • 1 SCHEDULED  ON-CONDITION  TASKS 

Scheduled  inspections  to  detect  potential  failures  are  commonly  termed  detection  of  poicnii.il  foilm-.-, 
on-condition  tasks,  since  they  call  for  the  removal  or  repair  of  individual  .ippiicdbiiity  critcri.i 
units  of  an  item  "on  the  condition"  that  they  do  not  meet  the  required  etfectivencss  critcri.i 
standard.  Such  tasks  are  directed  at  specific  failure  modes  and  are  based  |nsP«'tion  mierv.ils 
on  the  feasibility  of  defining  some  identifiable  physical  evidence  of  a 
reduced  resistance  to  the  type  of  failure  in  question.  Each  unit  is  in- 
spected at  regular  intervals  and  remains  in  service  until  its  failure 
resistance  falls  below  a defined  level  — that  is,  until  a potential  failure  is 
discovered.  Since  on-condition  tasks  discriminate  between  units  that 
require  corrective  maintenance  to  forestall  a functional  failure  and  those 
units  that  will  probably  survive  to  the  next  inspection,  they  permit  all 

units  of  the  item  to  realize  most  of  their  useful  lives.  SECTION  J-l  51 
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This  type  of  task  is  applicable  to  tires,  brakes,  many  parts  of  an  air- 
craft powerplant,  and  much  of  its  structure.  Many  routine  servicing 
tasks,  such  as  checking  oil  quantity  and  tire  pressure,  are  on-condition 
tasks.  The  applicability  of  an  on-condition  task  depends  to  some  extent 
on  both  maintenance  technology  and  the  design  of  the  equipment.  For 
example,  borescope  and  radioisotope  techniques  have  been  developed 
for  inspecting  turbine  engines,  but  these  techniques  are  of  value  chiefly 
because  the  engines  have  been  designed  to  facilitate  theii  use. 

If  on-condition  tasks  were  universally  applicable,  all  failure  possi- 
bilities could  be  dealt  with  in  this  way.  Unfortunately  there  are  many 
types  of  failures  in  which  the  failure  mode  is  not  clearly  understood  or 
is  unpredictable  or  gives  insufficient  warning  for  preventive  measures 
to  be  effective.  There  are  three  criteria  that  must  be  met  for  an  on- 
condition  task  to  be  applicable: 

► It  must  be  possible  to  detect  reduced  failure  resistance  for  a specific 
failure  mode. 

► It  must  be  possible  to  define  a potential-failure  condition  that  can 
be  detected  by  an  explicit  task. 

► There  must  be  a reasonably  consistent  age  interval  between  the 
time  of  potential  failure  and  the  time  of  functional  failure. 

As  an  example,  suppose  a visible  crack  is  used  as  a measure  of 
metal  fatigue,  as  shown  in  Exhibit  3.1.  Such  an  item  is  most  failure 
resistant  when  it  is  new  (point  A).  The  resistance  drops  steadilv  with 
increasing  age  and  is  already  somewhat  reduced  by  the  time  a crack 
appears  (point  B ).  Thereafter  it  is  possible  to  monitor  the  growth  of  the 
crack  and  define  a potential-failure  point  C far  enough  in  advance  to 
permit  removal  of  the  item  before  a functional  failure  occurs  (point  D ). 
Once  a crack  has  appeared,  the  failure  resistance  drops  more  rapidly; 
hence  the  rate  of  crack  growth  in  this  item  must  be  known  in  order  to 
establish  an  inspection  interval  AT  that  will  effectively  control  this 
failure  mode. 

The  data  for  the  entire  population  of  this  item  would  define  a range 
of  failure  ages  rather  than  one  specific  age.  Hence  both  the  defined 
potential  failure  and  the  frequency  of  inspections  depend  on  the  objec- 
tive of  the  task.  If  a functional  failure  would  have  safety  consequences, 
then  the  objective  is  to  prevent  all  such  failures.  In  this  case  an  on- 
condition  task  may  be  applicable,  but  it  would  be  considered  effective 
only  if  it  minimized  the  likelihood  of  a critical  failure.  If  the  failure  does 
not  involve  safety,  then  effectiveness  is  measured  in  economic  terms  — 
that  is,  the  task  is  effective  only  if  it  is  cost-effective.  In  the  case  of  oper- 
ational consequences  this  means  that  the  cost  of  finding  and  correcting 
potential  failures  must  be  less  than  the  combined  cost  of  the  operational 
52  THEORY  AND  PRINCIPLES  consequences  plus  the  cost  of  repairing  the  failed  units.  It  follows  from 
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EXHIBIT  3*1  Determining  the  interval  for  on-condition  inspection 
of  an  item  subject  to  metal  fatigue.  Once  the  rate  of  decline  in  failure 
resistance  has  been  determined,  an  inspection  interval  AT  is  established 
that  proyides  ample  opportunity  to  detect  a potential  failure  before  a 
functional  failure  can  occur. 


this  that  when  an  on-condition  task  is  effective  in  reducing  the  failure 
rate,  and  hence  the  frequency  of  operational  consequences,  it  is  usually 
also  cost-effective,  since  the  cost  of  inspection  is  relatively  low. 

Exhibit  3.2  shows  some  typical  on-condition  tasks  for  an  aircraft. 
The  first  example  concerns  a specific  failure  mode  of  an  aircraft  engine 
that  has  a set  of  24  tie  bolts  between  the  fourth  and  fifth  stages  of  its 
turbine  to  hold  an  air  seal  in  position  (and  a similar  set  of  tie  bolts 
between  the  fifth  and  sixth  stages).  Failure  of  this  set  of  tie  bolts  would 
result  in  a loose  air  seal  and  cause  major  damage  to  the  engine.  Lowered 
resistance  to  failure  is  evidenced  by  the  failure  of  one  or  more  individual 
bolts.  (Note  that  although  this  would  be  a functional  failure  of  the  tie 
bolts,  it  is  a potential  failure  from  the  standpoint  of  the  engine.) 

The  second  example  concerns  the  nozzle  guide  vanes  of  the  same 
engine.  These  vanes  are  subject  to  burning  by  the  hot  exhaust  gases  of 
the  engine,  and  also  to  erosion  by  hard  carbon  particles  from  the  com- 
bustor. The  required  borescope  inspection  is  a visual  inspection  to 
determine  how  much  damage  has  occurred  on  the  airfoil  and  inner  plat- 
form of  the  vane.  The  definition  of  potential-failure  conditions  in  this 
case  is  quite  complex;  in  practice  the  interval  between  inspections  is 
reduced  as  the  condition  deteriorates,  until  a point  is  reached  at  which 
the  engine  must  be  removed  from  service. 
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1 LOW-PRESSURE  TURBINE  SECTION 
Check  for  failed  airseal  tie  bolts. 

Note:  Airseal  tie  bolts  between  fourth-  and  fifth-stage  and  sixth- 
stage  rotors  (last  three  stages)  are  failing.  These  broken  bolts  are 
trapped  in  the  airseal  between  the  rotors  and  cause  a rattling  sound 
as  they  roll  when  the  turbine  is  slowly  rotated. 

A Have  fan  rotated  180  degrees  very  slowly.  Repeat  180-degree 
rotation  as  often  as  necessary. 

B Listen  at  tailcone  for  rattling  sound  caused  by  broken  bolts 
rolling  around  (do  not  confuse  with  clanking  sound  of  blades). 
Attempt  to  determine  number  of  broken  bolts  by  counting  rattler . 

C Failed- bolt  limits. 

Three  or  fewer  broken  bolts:  engine  may  remain  in  service. 

Four  or  more  broken  bolts:  engine  must  be  borescoped  within 
75  hours. 

D Supply  the  following  information: 

(1)  Plane  number Engine  position 

Engine  time  since  last  shop  visit 

(2)  Number  of  broken  bolts  estimated  from 

“listening"  check 

E Send  DIS*P5106  message  giving  above  information. 

2 FIRST-STAGE  NOZZLE  GUIDE  VANES 

Borcscope  inspection  (Boeing  747  JT9D  powerplant). 

A Perform  initial  horoscope  inspection  of  first-stage  nozzle 
guide  vanes  at  600  hours.  Perform  repeat  inspections  at 
600,  200,  75,  or  30  hours,  depending  on  conditions  four.  4. 

B Distress  limits  as  given  in  MM/OV  72-00-99: 

(T>  Trailing-edge  cracks:  maximum  of  5 cracks  per  vane  extending 
to  window  (slot)  leading  edge.  If  distress  exceeds  this  limit, 
remove  engine;  otherwise,  repeat  inspection  in  600  hours. 

(2)  Trailing-edge  erosion:  If  burning-surface  bum-through  does 
not  exceed  1/2  by  1/2  inch,  repeat  inspection  in  600  hours;  if 
bum-through  does  not  exceed  3/4  by  3/4  inch,  repeat  inspec- 
tion in  200  hours;  if  bum-through  does  not  exceed  1 by  1 inch, 
repeat  inspection  in  75  hours.  If  surface  bum-through  is  up 
to  5/8  inch  from  leading  edge,  repeat  inspection  in  30  hours. 

Note:  30-hour  limit  is  a maximum  fly-back  limit,  to  be  used 
one  time  only. 


3  FIRE* DETECTOR  INSTALLATIONS 

Intensified  inspection  of  installations,  leads,  and  connections. 

A Check  for  minimum  clearance  of  1/16  inch  between  sensing 
elements  and  engine,  as  well  as  between  various  engine 
components.  Provide  necessary  clearance. 

B Check  for  any  signs  of  wear. 

C Wear  limits: 

Acceptable:  Flat  spots  not  exceeding  0.035  inch  in  width; 
any  length  acceptable. 

Not  acceptable:  Flat  spots  exceeding  0.035  inch  in  width  or  worn 
spot  exposing  inner  conductor  or  composition  material  between 
inner  conductor  and  outer  sensing-element  shell. 

Note:  Nominal  diameter  is  0.070  inch. 


4  BRAKE  ASSEMBLY,  MAIN  LANDING  GEAR 

Check  brake-lining  wear  at  each  assembly,  using  small  scale. 

A Set  parking  brakes. 

B Measure  wear-indicator  pin  extension  at  both  indicator  pins. 

C Wear  limits: 

If  either  pin  is  less  than  0.25  inch  in  length,  replace  brake 
assembly. 

Note:  Replacement  may  be  deferred,  with  approval  from 
SFOLM,  provided  wear-indicator  pin  measures  longer  than 

13/64  inch.  If  wear-indicator  pin  length  is  13/64  inch  or  less,  i 

immediate  replacement  is  required.  j 


S  PNEUMATIC  DRIVE  UNITS,  LEADING  EDGE  HAP  ! 

Check  oil  level  and  service  as  required.  i 

r 

Note:  Drive  units  are  numbered  from  outboard  to  inboard,  1 to  4,  ' 

left  and  right  wing. 

A Check  oil  level  in  proper  sight  glass.  If  oil  level  is  visible  in 
sight  glass,  no  service  is  required. 

B If  oil  is  not  visible,  slowly  add  oil  (OIL  2360)  through  fill  port 
until  sight  glass  is  filled.  Use  53769  oil  dispenser. 

C Allow  excess  oil  to  drain  out  before  installing  fill  plug. 
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In  the  third  example  the  potential  failure  may  be  either  lack  of 
adequate  clearance  or  visible  wear  on  fire-detector  sensing  elements 
and  leads.  The  fourth  and  fifth  examples  involve  less  judgment  in  the 
inspection  process.  Exact  limits  are  given  for  the  brake  wear-indicator 
pin  in  the  first  case  and  oil  level  in  the  pneumatic  unit  in  the  second 
case.  Both  require  a clearcut  response  on  the  part  of  the  inspecting 
mechanic. 

Whenever  an  on -condition  task  is  applicable,  it  is  the  most  desir- 
able type  of  preventive  maintenance.  Not  only  does  it  avoid  the  pre- 
mature removal  of  units  that  are  still  in  satisfactory  condition,  but  the 
cost  of  correcting  potential  failures  is  often  far  less  than  the  cost  of  cor- 
recting functional  failures,  especially  those  that  cause  extensive  second- 
ary damage.  For  this  reason  on-condition  inspection  tasks  are  steadily 
replacing  older  practices  for  the  maintenance  of  airline  equipment. 


3 • 2 SCHEDULED  REWORK  TASKS 

applicability  criteria  Many  single-celled  and  simple  items  display  wearout  characteristics  — 
effectiveness  criteria  that  is,  the  probability  of  their  failure  becomes  significantly  greater 
effect  of  an  age  limit  on  af(er  a certain  operating  age.  When  an  item  does  have  an  identifiable 
maintenance  workload  wearoUf  agC;  its  overall  failure  rate  can  sometimes  be  reduced  by  im- 
posing a hard-time  limit  on  all  units  to  prevent  operation  at  the  ages 
of  higher  failure  frequency.  If  the  item  is  such  that  its  original  failure 
resistance  can  be  restored  by  rework  or  remanufacture,  the  necessary 
rework  task  may  be  scheduled  at  appropriate  intervals.*  For  example, 
the  airplane  tire  in  Exhibit  2.4  could  have  been  scheduled  for  rework 
after  a specified  number  of  landings,  since  retreading  restores  the 
original  failure  resistance.  However,  this  would  have  resulted  in  the 
retreading  of  all  tires  at  the  specified  age  limit,  whether  they  needed  it 
or  not,  and  would  not  have  prevented  functional  failures  in  those  tires 
that  failed  earlier  than  anticipated. 

Where  no  potential-failure  condition  can  be  defined,  on-condition 
inspection  of  individual  units  is  not  feasible.  In  such  cases  a rework 
task  mav  be  applicable,  either  for  a simple  item  or  to  control  a specific 
failure  mode  in  a complex  item.  Although  the  age  limit  will  be  wasteful 
for  some  units  and  ineffective  for  others,  the  net  effect  on  the  entire 
population  of  that  item  will  be  favorable.  This  is  not  the  case,  however, 
for  complete  rework  of  a complex  item.  As  we  saw  in  Chapter  2,  failures 
in  complex  items  are  the  result  of  many  different  failure  modes,  each  of 

'The  term  overhaul  has  the  connotation  that  the  unit  is  completely  disassembled  and  re- 
manufactured part  by  part  to  restore  it  as  nearly  as  possible  to  a "like-new  ' physical 
condition.  Rework  refers  to  a set  of  maintenance  operations  considered  sufficient  to 
restore  the  unit's  original  resistance  to  failure.  Thus  rework  for  specific  items  may  range 
from  replacement  of  a single  part  to  complete  remanufacture. 
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which  may  occur  at  a different  average  age.  Consequently  the  overall 
failure  rate  of  such  items  remains  relatively  constant;  in  some  cases 
reliability  decreases  gradually  with  age,  but  there  is  no  particular  age 
that  can  be  identified  as  a wearout  zone.  Thus,  unless  there  is  a domi- 
nant failure  mode  which  is  eliminated  in  the  course  of  rework,  complete 
rework  of  a complex  item  will  have  little  or  no  effect  on  the  overall 
failure  rate. 

A rework  task  can  be  considered  applicable  to  an  item  only  if  the 
following  criteria  are  met: 

► There  must  be  an  identifiable  age  at  which  the  item  shows  a rapid 

increase  in  the  conditional  probability  of  failure. 

► A large  proportion  of  the  units  must  survive  to  that  ag.. 

► It  must  be  possible  to  restore  the  original  failure  resistance  of  the 

item  by  reworking  it. 

Because  the  information  required  to  develop  survival  and  conditional- 
probability  curves  for  an  item  is  not  available  when  equipment  first 
goes  into  service,  scheduled  rework  tasks  rarely  appear  in  a prior-to- 
service  maintenance  program  (only  seven  components  were  assigned  to 
scheduled  rework  in  the  initial  program  developed  for  the  Douglas 
DC-10).  Often,  however,  those  items  subject  to  very  expensive  failures 
are  put  into  an  age-exploration  program  to  find  out  as  soon  as  possible 
whether  they  would  benefit  from  scheduled  rework. 

Even  when  scheduled  rework  is  applicable  to  an  item,  very  often  it 
does  not  meet  the  conditions  for  effectiveness.  A reduction  in  the  num- 
ber of  expected  failures,  for  example,  would  not  be  sufficient  in  the  case 
of  safety  consequences,  and  in  the  case  of  economic  consequences  the 
task  must  be  cost-effective.  Moreover,  since  an  age  limit  lowers  the 
average  realized  age  of  an  item,  it  always  increases  the  total  number  of 
units  sent  to  the  shop  for  rework. 

As  an  example,  consider  the  effect  scheduled  rework  would  have 
on  the  turbine  engine  discussed  in  Section  2.7.  With  no  age  limit,  the 
failure  rate  of  these  engines  is  0.552  failures  per  1,000  hours.  Thus  over 
an  operating  period  of  1 million  hours  an  average  of  552.2  failed  units 
(1,000,000/1,811)  are  sent  to  the  shop  for  repair  (see  Exhibit  3.3).  A 
rework  age  limit  of  2,000  hours  will  reduce  the  failure  rate  to  0.416;  how- 
ever, it  will  also  reduce  the  average  realized  age  from  1,811  hours  to 
1,393  hours.  Since  42  percent  of  the  units  survive  to  2,000  hours,  over 
the  same  operating  period  an  average  of  717.9  units  would  be  sent  to  the 
shop  — the  416.3  units  that  failed  plus  the  additional  301.6  scheduled 
removals.  In  other  words,  there  would  be  about  135  fewer  failures,  but 
166  more  engines  that  required  rework.  On  this  basis  scheduled  rework 
at  2,000-hour  intervals  would  not  be  cost-effective  unless  the  rework 
cost  for  scheduled  removals  were  substantially  lower  than  the  cost  of 


age  limit 
(hours) 

failure  rate 
(per  1,000  hours) 

percentage  of  units 
surviving  to  age  limit 

averaged  realized 
engine  age  (hours) 

1,000 

04681 

69.2 

898 

2,000 

0.4169 

42.0 

1499 

3,000 

0.4871 

17.9 

1489 

None 

0.S522 

0 
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repairing  failures  (in  this  case  the  rework  cost  would  have  to  be  less 
than  135.9/301.6,  or  45.1  percent,  of  the  repair  cost). 

Of  course,  the  direct  cost  of  rework  is  not  the  only  economic  factor 
to  be  taken  into  account.  If  the  failure  is  one  that  has  operational  con- 
sequences, the  reduction  in  the  number  of  failures  may  more  than  offset 
the  additional  cost  of  rework.  Determining  the  economic  desirability  of 
a proposed  rework  age  limit  will  be  discussed  in  greater  detail  in  the 
next  chapter.  In  general,  however,  the  effect  of  at  least  four  possible 
rework  intervals  must  be  analyzed  before  an  optimum  limit  can  be 
determined  — if  indeed  one  does  exist.  In  most  cases  a rework  task  will 
not  prove  cost-effective  unless  the  item  has  an  unusually  expensive 
failure  mode  or  the  cost  of  a functional  failure  includes  economic  losses 
other  than  the  direct  cost  of  repair. 


3 i SCHEDULED  DISCARD  TASKS 

The  scheduled  rework  of  items  at  a specified  age  limit  is  one  type  of 
hard-time  task;  the  other  is  scheduled  discard  of  items  or  certain  of  their 
parts  at  some  specified  operating  age.  Such  tasks  are  frequently  termed 
life-limit  tasks.  Life  limits  may  be  established  to  avoid  critical  failures, 
in  which  case  they  are  called  safe-life  limits,  or  they  may  be  established 
because  they  are  cost-effective  in  preventing  noncritical  failures,  in 
which  case  they  are  called  economic-life  limits. 

SAFE- LITE  LIMITS 

A safe-life  limit  is  imposed  on  an  item  only  when  safety  is  involved  and 
there  is  no  observable  condition  that  can  be  defined  as  a potential  fail- 
ure. In  this  case  the  item  is  removed  at  or  before  the  specified  maximum 
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age  and  is  either  discarded  or  disassembled  for  discard  of  a time-expired 
part.  This  practice  is  most  useful  for  simple  items  or  individual  parts  of 
complex  items,  such  as  pyrotechnic  devices  in  ejection  seats,  which  have 
a limited  shelf  life,  and  turbine-engine  disks  or  nonredundant  structural 
members,  which  are  subject  to  metal  fatigue. 

The  safe- life  limit  itself  is  usually  established  by  the  equipment 
manufacturer  on  the  basis  of  developmental  testing.  A component 
whose  failure  would  be  critical  is  designed  to  begin  with  to  have  a very 
long  life.  It  is  then  tested  in  a simulated  operating  environment  to  deter- 
mine what  average  life  has  actually  been  achieved,  and  a conservatively 
safe  fraction  of  this  average  life  is  used  as  the  safe-life  limit. 

Safe-life  items  are  nearly  always  single-celled  parts,  and  their  ages 
at  failure  are  grouped  fairly  closely  about  the  average.  However,  the  cor- 
relation between  a test  environment  and  the  actual  operating  environ- 
ment is  never  perfect.  Moreover,  because  testing  a long-lived  part  to 
failure  is  both  time-consuming  and  expensive,  the  volume  of  test  data 
is  often  too  small  to  permit  us  to  draw  a survival  curve  with  much  confi- 
dence. For  this  reason  safe-life  limits  are  usually  established  by  dividing 
the  average  failure  age  by  a large  arbitrary  factor  — sometimes  a factor 
as  large  as  3 or  4.  The  implication  is  that  the  conditional  probability  of 
failure  at  this  limit  is  essentially  zero;  that  is,  a safe-life  limit  is  based  on 
a 100  percent  probability  of  survival  to  that  age.  The  difference  between 
a safe-life  limit  and  the  average  age  at  failure  is  illustrated  in  Exhibit  3.4. 

A safe-life  discard  task  is  applicable  only  under  the  following 
circumstances: 

► The  item  must  be  subject  to  a critical  failure. 

► Test  data  must  show  that  no  failures  are  expected  to  occur  below 

the  specified  life  limit. 
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EXHIBIT  3 '4  Comparison  of  the  average  age  at  failure  (average  life) 
determined  from  operating  data  and  a safe-life  limit  determined  on  the 
basis  of  test  data. 


Since  the  function  of  a safe-life  ,;mit  is  to  avoid  the  occurrence  of 
a critical  failure,  the  resulting  discard  task  is  effective  only  if  it  accom- 
plishes this  objective.  Thus  the  only  information  for  assessing  effective- 
ness in  this  case  will  be  the  manufacturer's  test  data.  Sometimes  these 
tests  have  not  been  completed  at  the  time  the  initial  program  is  devel- 
oped, but  until  a limit  can  be  established,  the  available  test  data  must 
show  that  the  anticipated  in-service  aging  of  the  item  will  be  safe.  An 
operating  organization  rarely  has  the  facilities  for  further  simulation 
testing  that  might  justify  increasing  a safe-life  limit,  nor  is  there  usually 
a reasonable  basis  for  reducing  it,  unless  failures  occur. 

ECONOMIC-LIFE  LIMITS 

In  some  instances  extensive  operating  experience  may  indicate  that 
scheduled  discard  ot  an  item  is  desirable  on  purely  economic  grounds. 
An  economic-life  limit,  however,  is  established  in  the  same  manner  as 
an  age  limit  for  scheduled  rework;  that  is,  it  is  based  on  the  actual  age- 
reliability  relationship  of  the  item,  rather  than  on  some  fraction  of 
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to  avoid  accumulating  any  failure  data,  the  only  justification  for  an 
economic-life  limit  is  cost  effectiveness.  Thus  the  failure  rate  must  be 
known  in  order  to  predict  how  the  total  number  of  scheduled  removals 
at  various  age  limits  would  affect  the  cost-benefit  ratio. 

In  general,  an  economic-life  task  requires  the  following  three 
conditions: 

► The  item  must  be  subject  to  a failure  that  has  major  economic  (but 
not  safety)  consequences. 

► There  must  be  an  identifiable  age  at  which  the  item  shows  a rapid 
increase  in  the  conditional  probability  of  failun  , 

► A large  proportion  of  the  units  must  survive  to  that  age. 

Although  an  item  that  meets  the  first  criterion  may  be  put  into  an  age- 
exploration  program  to  find  out  if  a life  limit  is  applicable,  there  are 
rarely  sufficient  grounds  for  including  this  type  of  discard  task  in  an 
initial  scheduled-maintenance  program. 


3 * 4 SCHEDULED  FAILUREFINDING  TASKS 

Whenever  an  item  is  subject  to  a functional  failure  that  would  not  be  .ipplio.<bili«v  iriton.i 

evident  to  the  operating  crew,  a scheduled  task  is  necessary  to  project  lU-u-imining  .iw-rano 

the  availability  of  that  function.  Although  hidden-function  failures, 
by  definition,  have  no  immediate  consequences,  failures  that  are  un- 
detected increase  the  exposure  to  a possible  multiple  failure.  Hence, 
if  no  other  type  of  maintenance  task  is  applicable  and  effective,  hidden- 
function  items  are  assigned  failure-finding  tasks,  scheduled  inspections 
for  hidden  failures.  Although  such  tasks  are  intended  to  locate  func- 
tional failures  rather  than  potential  failures,  they  can  be  viewed  as  a 
type  of  on-condition  maintenance,  since  the  failure  of  a hidden-function 
item  can  also  be  viewed  as  a potential  multiple  failure.  The  chief  differ- 
ence is  in  the  level  of  item  considered;  a functional  failure  of  one  item 
may  be  only  a potential  failure  for  the  equipment  as  a whole. 

Most  items  supported  by  failure-finding  inspections  remain  in 
service  until  a functional  failure  is  discovered.  Some  items,  however, 
have  several  functions,  of  which  only  one  or  a few  are  hidden.  Such 
items  will  be  removed  from  service  to  correct  evident  failures,  and  if 
the  removal  rate  is  sufficient  to  ensure  adequate  availability  of  the 
hidden  function,  the  shop  specifications  may  include  a failure-finding 
inspection  at  that  time.  Other  items  may  not  require  scheduled  failure- 
finding tasks  because  the  operating  crew  is  required  to  check  them 
periodically.  Many  hidden  functions,  especially  in  systems,  are  made 
evident  by  the  addition  of  instrumentation,  so  that  a separate  inspec- 
tion for  hidden  failures  is  unnecessary. 
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A scheduled  failure-finding  task  is  applicable  to  an  item  under  the 
following  two  conditions.  Note  that  the  second  criterion  is  in  fact  a 
default  condition: 

^ The  item  must  be  subject  to  a functional  failure  that  ir  ot  evident 
to  the  operating  crew  during  the  performance  of  nor  al  duties. 

^ The  item  must  be  one  for  which  no  other  type  of  task  is  applicable 
and  effective. 

The  objective  of  a failure-finding  task  is  to  ensure  adequate  availability 
of  a hidden  function.  The  level  of  availability  that  is  needed,  however, 
depends  on  the  nature  of  the  function  and  the  consequences  of  a pos- 
sible multiple  failure.  Some  hidden  functions,  such  as  the  fire-waming 
system  in  an  aircraft  powerpiant,  are  sufficiently  important  that  they 
are  tested  before  every  flight. 

' Dproi">riate  intervals  for  failure-finding  tasks  cannot  be  deter- 
mine . a'  _ctly  as  those  for  other  types  of  tasks.  In  the  case  of  emer- 
gency equipment  hidden-function  items  i /hich  are  replaced  at  specified 
intervals,  such  as  pyrotechnic  devices,  are  tested  prior  to  rework  or 
discard  to  see  if  they  would  have  functioned  had  they  been  needed. 
The  test  results  at  any  given  interval  provide  a basis  for  increasing  or 
decreasing  the  interval.  In  other  cases  the  expected  availability  of  a hid- 
den function  can  be  approximated  by  assuming  that  the  age-reliability 
relationship  is  exponential/  assigning  a conservatively  high  failure 
rate,  and  then  determining  the  probability  of  survival  across  a given 
inspection  interval. 

As  an  example,  suppose  some  hidden  function  has  an  anticipated 
failure  rate  of  0.5  per  1,000  hours.  The  mean  time  between  failures  is 
then  2,000  hours.  If  the  proposed  inspection  interval  is  500  hours,  a 
unit  that  is  serviceable  at  one  inspection  will  have  aged  500  hours  by 
the  next  inspection.  The  probability  that  it  will  survive  this  500-hour 
interval  (one-fourth  of  the  mean  time  between  failures)  is  .78  on  an 
exponential  curve  (Exhibit  3.5).  The  average  availability  would  thus  be 

1:00  + 07?  = Q89 

or  a probability  of  .89  that  the  item  will  function  if  it  is  needed.  If  this 
degree  of  reliability  is  inadequate,  the  inspection  interval  must  be 
reduced.  Failure-finding  tasks  are  always  effective  if  the  inspection 
interval  is  short  enough. 

To  be  considered  effective  a failure-finding  task  must  ensure  the 
required  level  of  availability.  However,  thir  task  must  also  be  cost- 

*lf  the  conditional  probability  of  failure  is  nonincreasi.ig,  this  is  a conservative  assump- 
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Ratio  of  interval  to  mean  time  kttwm  failure* 

EXHIBIT  3 >5  Establishing  thejinterval  fora  failure-finding  inspection. 
The  age-reliability  relationship  of  an  item  is  assumed,  in  the  absence 
of  information,  to  be  exponential  over  operating  age.  i'hus  al  an 
inspection  interval  equal  to  one-fourth  of  the  mean  time  between 
failures,  the  probability  that  the  item  will  survive  that  interval  is  .78. 

I bis  is  true  of  the  interval  between  any  two  inspections,  regardless 
of  the  age  of  the  item.  On  the  basis  of  this  inspection  interval,  the 
average  availability  of  the  unit  would  be  89  percent.  An  interval  that 
represented  a smaller  fraction  of  the  expected  mean  time  between 
failures  would  yield  a higher  average  availability. 


effective  with  respect  to  the  three  other  types  of  maintenance  tasks  — that 
is,  it  must  be  the  least  expensive  means  of  ensuring  the  necessary  level 
of  availability.  When  a possible  multiple  failure  is  not  related  to  safety, 
an  availability  goal  of  95  percent  is  often  used.  Alternatively,  the  eco- 
nomic consequences  of  the  multiple  failure  can  be  balanced  against  the 
costs  of  inspection  to  determine  the  most  cost-effective  interval  and 
availability  level. 

Exhibit  3.6  shows  some  typical  failure-finding  ' -sks  for  a commer- 
cial aircraft.  In  each  case  the  scheduled  task  is  designed  to  identify  a 
functional  failure.  In  the  second  example  the  failure  might  or  might  not 
be  evident  to  the  operating  crew,  depending  on  whether  a complaint 

was  received  from  a passenger.  SECTION  3-4  63 
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EXHIBIT  3 *6  I \.t  in  pies  ol  ••liluiv-liinlinj;  inspi'ilinn  l.isks  .is  spot  itiod 
itti  .1  i 1 1 1 nt*  m.nntt'ii.iiH  t*  me  h.inii  s.  In  (his  t.iso  tlio  uioch.mii  is 
it*t|iiiivti  oi’.K  to  u'pl.uo  *ho  l.iiloti  units.  (l  m toil  Airlines) 


t smow  coccus 

Replace  missing  or  damaged  goggles  (not  repairable)  as  required  by 
the  following  conditions: 

A Plastic-foam  face  seal  not  adhering  to  goggle  rim 
B Lens  not  retained  within  goggle  groove 
C Dirt  or  scratches  on  lens 
D Any  other  detrimental  condition 

2 READING  LIGHTS,  PASSENGER- SERVICE  SYSTEM 
Test  lights  in  zones  A to  E. 

A At  positions  1,  2,  3,  and  4 on  right  attendant's  panel,  position 
switches  as  follows: 

PES-OFF,  PSS— OFF,  CH-OFF,  ATTNO  CALL-TEST  (to 
illuminate  blue) 

B t ot  zone  being  checked,  rotate  reading-light  switch  to  ON 
position: 

(1)  All  reading  lights  in  that  zone  should  illuminate. 

(2)  Master  call  light  should  not  blink. 

C Rotate  reading-light  switch  to  OFF  position: 

(1)  All  reading  lights  in  that  zone  should  not  be  illuminated, 

(2)  Master  call  light  should  not  blink. 

D Rotate  reading-light  switch  to  SEAT  position: 

All  reading  lights  in  that  zone  should  return  to  individual  seat 
CTL  selector. 


J EXTERIOR  LIGHTS 

A Turn  on  beacon,  navigation,  and  wing-illumination  lights,  and 
at  night  turn  on  logo  lights. 

B Walk  around  exterior  of  aircraft  and  check  lights. 

C Turn  off  lights. 
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3 • 5 CHARACTERISTICS  OF  THE  BASIC  TASKS 


The  four  types  of  scheduled-maintenance  tasks  employed  in  an  RCM 
program  differ  both  in  terminology  and  in  concept  from  traditional  ap- 
proaches to  scheduled  maintenance.  In  the  airline  industry,  for  example, 
it  is  customary  to  refer  to  three  "primary  maintenance  processes":  on- 
condition,  hard  time,  and  condition  monitoring.  All  scheduled  tasks  are 
considered  to  be  either  on-condition  or  hard-time.  On-condition  tasks 
are  defined  by  FAA  regulations  as: 

. . . restricted  to  components  on  which  a determination  of  con- 
tinued airworthiness  may  be  made  by  visual  inspection,  measure- 
ment, tests,  or  other  means  without  a teardown  inspection  or 
overhaul.  These  "On-Condition"  checks  are  to  be  performed  within 
the  time  limitations  prescribed  for  the  inspection  or  check. 

Although  the  term  hard  time  is  not  specifically  defined,  it  is  implied 
by  a number  of  FAA  requirements.  Airline  maintenance  specifications 
must  include  "time  limitations,  or  standards  for  determining  time  limi- 
tations, for  overhauls,  inspections  and  checks  of  airframes,  engines, 
propellers,  appliances,  and  emergency  equipment,"  and  the  basic  prin- 
ciple for  establishing  these  time  limitations  is: 

. . . that  the  inspections,  checks,  maintenance  or  overhaul  be  per- 
formed at  times  well  within  the  expected  or  proven  service  life  of 
each  component  of  the  aircraft. 


EXHIBIT  3-7  C omparison  of  lU'M 
regulatory  usage. 


RCM  terminology 


current  regulatory  usage 


Inspection  tasks: 

On-condition  tasks  (to  detect 
potential  failures) 

Failure-finding  tasks  (to  detect 
hidden  function  failures) 


Removal  tasks: 

Scheduled  rework 
Scheduled  discard 

Servicing  tasks 

No  scheduled  maintenance 


On-condition  process 

Condition-monitoring  process 
(inspection  of  hidden-function 
items) 

Hard-time  process 
Scheduled  overhaul 
Life  limit 

Servicing 

Condition-monitoring  process 
(no  scheduled  tasks) 


terminology  ditto  re  n cos 
the  hdsis  ot  task  preference 
items  that  c.innot  benefit  Irom 
sc  h ed  n I oil  m .i  i n t e n .1  n c e 


t.isk  terminology  and  current 
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The  process  termed  condition  monitoring  is  one  that  is  characterized 
by  the  absence  of  preventive -maintenance  tasks.  An  item  is  said  to  be 
maintained  by  condition  monitoring  if  it  is  permitted  to  remain  in  ser- 
vice without  preventive  maintenance  until  a functional  failure  occurs. 
However,  since  condition  monitoring  is  oriented  to  after-the-fact  detec- 
tion of  failures,  this  designation  may  refer  in  some  instances  to  failure- 
finding tasks  assigned  to  hidden-function  items  and  in  other  instances 
to  items  assigned  to  no  scheduled  maintenance. 

Despite  the  overlap  in  terminology,  there  are  certain  fundamental 
differences  in  concept  between  the  tasks  performed  under  traditional 
maintenance  policies  and  the  explicit  task  definitions  required  by  an 
RCM  program.  The  hard-time  approach  was  based  on  the  assumption 
that  complex  items  do  have  an  "expected  or  proven  service  life"  — that 
is,  that  their  overall  reliability  invariably  decreases  with  age.  On  this 
premise  overhaul  specifications  usually  required  that  all  units  which 
had  survived  to  the  specified  time  limit  be  disassembled  down  to  their 
smallest  constituent  parts  and  inspected  in  detail  for  signs  of  deteriora- 
tion. Technical  experts  examined  each  part  and  formed  opinions  about 
whether  a given  component  could  have  continued  to  operate  satisfac- 
torily to  a projected  new  overhaul  interval;  in  other  words,  they  made 
judgments  about  the  age  at  which  the  item  was  likely  to  fail. 

These  teardown  inspections  might  at  first  appear  to  qualify  as  on- 
condition  inspections.  However,  such  inspections  were  rarely  focused 
on  the  specific  conditions  required  by  an  on-condition  task.  Unfor- 
tunately it  is  usually  beyond  human  capability  to  look  at  a used  part 
and  determine  what  its  likelihood  of  failure  will  be  at  some  later  age. 
As  a result,  the  initial  overhaul  intervals  for  new  equipment  were  short 
and  were  extended  only  by  very  small  increments.  At  one  point,  in  fact, 
the  FAA  limited  extensions  of  the  interval  for  engine  overhauls  to  a 
maximum  of  100  hours  and  required  a period  of  at  least  three  months 
between  successive  extensions. 

Note  that  the  traditional  type  of  scheduled  overhaul  also  fails  to 
satisfy  the  criteria  for  a rework  task.  Shop  specifications  calling  for  the 
part-by-part  remanufacture  of  complex  items  to  restore  them  to  "like- 
new"  condition  were  intended  to  avoid  operation  in  the  age  period  at 
which  failures  were  expected  to  be  more  likely.  As  we  have  seen,  how- 
ever, this  expectation  does  not  hold  for  most  complex  items.  Conse- 
quently we  cannot  expect  periodic  overhaul  at  any  operating  age  to 
make  a noticeable  difference  in  their  reliability.  Furthermore,  even 
when  a complex  item  does  meet  the  applicability  criteria  for  a rework 
task,  it  is  difficult  to  satisfy  the  conditions  for  effectiveness.  For  this 
reason  complete  rework  of  items  such  as  turbine  engines  is  now  rela- 
tively rare,  and  many  organizations  have  abandoned  rework  of  other 
rotating  machinery,  which  was  once  considered  a prime  candidate  for 
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THE  BASIS  OF  TASK  PREFERENCE 

The  applicability  of  any  maintenance  task  depends  on  the  failure  char- 
acteristics of  the  item.  However,  the  characteristics  of  the  tasks  them- 
selves suggest  a strong  order  of  preference  on  the  basis  of  their  overall 
effectiveness  as  preventive  measures.  The  first  choice  is  always  an  on- 
condition  inspection,  particularly  if  it  can  be  performed  without  remov- 
ing the  item  from  the  equipment.  This  type  of  preventive  maintenance 
has  a number  of  advantages.  Because  on-condition  tasks  identify  indi- 
vidual units  at  the  potential-failure  stage,  they  are  particularly  effective 
in  preventing  specific  modes  of  failure.  Hence  they  reduce  the  likeli- 
hood both  of  critical  failures  and  of  the  operational  consequences  that 
would  otherwise  result  from  that  failure  mode.  For  the  same  reason, 
they  also  reduce  the  average  cost  of  repair  by  avoiding  the  expensive 
secondary  damage  that  might  be  caused  by  a functional  failure. 

The  fact  that  on-condition  tasks  identify  individual  units  at  the 
point  of  potential  failure  means  that  each  unit  realizes  almost  all  of  its 
useful  life.  Since  the  number  of  removals  for  potential  failures  is  only 
slightly  larger  than  the  number  that  would  result  from  functional  fail- 
ures, both  the  repair  costs  and  the  number  of  spare  units  necessary  to 
support  the  repair  process  are  kept  to  a minimum.  The  scheduling  of 
on-condition  inspections  at  a time  when  the  equipment  is  out  of  seivice 
concentrates  the  discovery  of  potential  failures  at  the  maintenance  sta- 
tions that  perform  the  inspections.  This  fact,  together  with  the  lower 
probability  of  functional  failures,  further  reduces  the  inventory  of  spare 
units  that  would  otherwise  have  to  be  kept  available  at  each  line  station. 

If  no  applicable  and  effective  on-condition  task  can  be  found,  the 
next  choice  is  a scheduled  rework  task.  Scheduled  rework  of  single  parts 
or  components  leads  to  a marked  reduction  in  the  overall  failure  rate  of 
items  tfiat  have  a dominant  failure  mode  (the  failures  resulting  from 
this  mode  would  be  concentrated  about  an  average  age).  This  type  of 
task  may  be  cost-effective  if  the  failures  have  major  economic  con- 
sequences. As  with  on-condition  inspections,  the  scheduled  removals 
can  be  concentrated  at  a few  maintenance  stations,  thus  reducing  the 
exposure  of  all  line  stations  to  the  need  to  remove  units  after  they  have 
failed.  A rework  age  limit  usually  includes  no  restriction  on  the  remanu- 
facture and  reuse  of  time-expired  units;  hence  material  costs  are  lower 
than  they  would  be  if  the  entire  unit  had  to  be  discarded. 

Any  scheduled  rework  task,  however,  has  certain  disadvantages. 
Because  the  age  limit  applies  to  all  units  of  an  item,  many  serviceable 
units  will  be  removed  that  would  otherwise  have  survived  to  higher 
ages.  Moreover,  as  we  sav'  in  Section  3.2,  the  total  number  of  removals 
will  consist  of  failed  units  plus  scheduled  removals.  Hence  the  total 
workload  for  this  task  is  substantially  greater  than  it  would  be  with  on- 
condition  inspection,  and  a correspondingly  larger  number  of  spare 
units  is  needed  to  support  the  shop  process. 
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Scheduled  discard  is  economically  the  least  desirable  of  the  three 
directly  preventive  tasks,  although  it  does  have  a few  desirable  features. 
A safe-life  limit  on  simple  components  can  prevent  critical  failures 
caused  by  certain  failure  modes.  Similarly,  an  economic-life  limit  can 
reduce  the  frequency  of  functional  failures  that  have  major  economic 
consequences.  However,  a discard  task  is  in  itself  quite  costly.  The  aver- 
age life  realized  by  an  item  subject  to  a safe-life  limit  is  only  a fraction 
of  its  potentially  useful  life,  and  the  average  life  of  an  item  subject  to 
an  economic-life  limit  is  much  less  than  the  useful  life  of  many  indi- 


EXHIBIT  3 ‘8  Comparison  ol  various  characteristics  of  the  four  basic 
schc  it  u tort -maintenance  tasks. 


characteristic 


on-condition  task 


scheduled  rework  task 


Applicability  criteria 

Reduced  resistance  to  failure  must 
be  detectable;  rate  of  reduction  in 
failure  resistance  must  be 
predictable. 

Conditional  probability  of  failure 
must  increase  at  an  identifiable 
age;  a large  proportion  of  the  units 
must  survive  to  that  age. 

Effectiveness  criteria 

For  critical  failures  the  task  must 
reduce  the  risk  of  failure  to  an 
acceptable  level;  in  all  other  cases 
the  task  must  be  cost-effective. 

For  critical  failures  the  task  must 
reduce  the  risk  of  failure  to  an 
acceptable  level  (a  rework  task 
alone  is  unlikely  to  meet  this 
requirement);  in  all  other  cases 
the  task  must  be  cost-effective. 

Usual  availability  of 
required  information 

Applicability  prior  to  service; 
effectiveness  after  age  exploration. 

Applicability  after  age  exploration; 
effectiveness  after  age  exploration. 

Effect  on  occurrence  of 
functional  failures 

Failures  due  to  specific  failure 
mode  eliminated  or  greatly  reduced 
in  frequency. 

Frequency  of  failures  somewhat 
less  than  with  no  scheduled 
maintenance. 

Distribution  of 
removals 

Removals  for  potential  failures 
concentrated  at  few  stations  where 
inspections  are  performed;  removals 
for  functional  failures  at  any  station. 

Scheduled  removals  concentrated 
at  a very  few  stations;  removals  for 
functional  failures  at  any  station. 

Effect  on  shop  volume 

Slightly  greater  than  with  no 
scheduled  maintenance. 

Much  greater  than  with  on- 
condition  or  no  scheduled 
maintenance. 

vidual  units.  In  addition,  a discard  task  involves  the  cost  ol  replace- 
ment; new  items  or  parts  must  be  purchased  to  replace  the  time-expired 
units,  since  a life  limit  usually  does  not  permit  remanufacture  and  reuse. 

Hidden-function  failures  have  no  immediate  consequences;  hence 
our  interest  is  in  the  least  expensive  means  of  ensuring  the  necessary 
level  of  availability  for  the  item.  When  none  of  the  other  three  tasks 
is  applicable,  the  default  action  for  hidden-function  items  is  a failure- 
finding  task.  Otherwise,  the  choice  of  task  is  determined  by  cost 
effectiveness. 


scheduled  discard  task  failure-finding  task 

For  safe-life  items  conditional  The  occurrence  of  a functional 

probability  of  failure  must  be  zero  failure  must  not  be  evident  to  the 
below  life  limit;  for  economic-life  operating  crew, 
items  conditional  probability  of 
failure  must  increase  at  r.n  identi- 
fiable age  and  a large  proportion 
of  units  must  survive  to  that  age. 

A safe-life  limit  must  reduce  the  The  task  must  result  in  the  level 

risk  of  failure  to  an  acceptable  of  availability  necessary  to 

level;  an  economic-life  limit  must  reduce  the  risk  of  a multiple 
be  cost-effective.  failure  to  an  acceptable  level. 


Safe-life  applicability  and  effective-  Applicability  prior  to  service; 
ness  prior  to  service;  economic-life  effectiveness  after  age  exploration, 
applicability  and  effectiveness 
after  age  exploration. 

Failures  due  to  specific  failure  No  effect  on  item  inspected,  but 

mode  eliminated  (safe-life  limit)  frequency  of  multiple  failures 
or  reduced  in  frequency  (economic-  greatly  reduced, 
life  limit). 

Scheduled  removals  concentrated  Removals  concentrated  at  stations 

at  a very  few  stations;  removals  where  inspections  are  performed; 

for  functional  failures  (economic-  no  removals  at  other  stations, 
life  limit)  at  any  station. 

Not  applicable.  Minimal. 


J 


ITEMS  THAT  CANNOT  BENEFIT  FROM  SCHEDULED  MAINTENANCE 

In  the  process  of  evaluating  proposed  maintenance  tasks  for  an  item 
there  will  be  a number  of  instances  in  which  no  applicable  task  can  be 
found  — that  is,  items  for  which  there  is  no  evidence  that  a particular 
task  will  improve  reliability.  There  will  be  far  more  instances,  however, 
in  which  an  applicable  task  does  not  satisfy  the  conditions  for  effective- 
ness. This  may  be  because  the  failure  has  such  minor  consequences  that 
the  task  is  not  cost-effective  or  because  it  has  such  major  consequences 
that  the  task  does  not  reduce  the  risk  of  failure  *o  the  required  level.  If 
safety  consequences  are  involved,  the  objective  of  any  task  is  to  mini- 
mize the  probability  of  a failure,  and  in  this  case  all  applicable  tasks  are 
assigned  as  preventive  maintenance.  Since  most  essential  functions  in 
well-designed  equipment  are  protected  by  redundancy,  the  safety  haz- 
ard is  usually  the  possible  secondary  damage.  However,  the  number  of 
failure  modes  in  which  this  is  a factor  is  relatively  small. 

When  an  item  cannot  benefit  from  scheduled  maintenance,  in  some 
cases  product  improvement  may  be  necessary  before  the  equipment 
goes  into  service.  More  often  the  chore  of  determining  what  preventive 
maintenance  might  accomplish  for  each  item  helps  to  clarify  specific 
modifications  that  would  improve  reliability  in  subsequent  designs. 

Where  safety  consequences  are  not  involved,  any  applicable  task 
must  be  cost-effective,  and  this  condition  is  usually  difficult  to  satisfy 
unless  the  failure  has  operational  consequences.  Once  again,  the  design 
often  employs  redundancy  to  limit  the  number  of  items  subject  to  such 
failures.  As  a result,  there  are  tens  of  thousands  of  items  on  complex 
equipment  for  which  scheduled  maintenance  provides  no  advantage. 
Since  such  items  cannot  benefit  from  preventive  maintenance,  they  are 
left  in  operation  until  a functional  failure  occurs.  This  strategy  permits 
each  unit  to  realize  its  maximum  useful  life. 

Items  that  cannot  benefit  from  scheduled  maintenance  are  charac- 
terized by  two  properties: 

► Such  items  have  no  hidden  functions;  hence  a failure  is  evident  to 
the  operating  crew  and  will  therefore  be  reported  and  corrected. 

► The  failure  is  one  that  has  no  direct  adverse  effect  on  operating 
safety. 

A further  characteristic  of  such  items  is  that  many  of  them  are  complex. 
One  reason  for  this  is  that  when  there  is  no  evidence  that  a proposed 
task  will  actually  improve  the  reliability  of  a complex  item,  there  is 
always  the  possibility  that  it  will  introduce  new  problems,  either  by 
upsetting  a stable  state  or,  in  some  cases,  by  introducing  workmanship 
problems.  Thus  where  a complex  system  cannot  be  protected  by  on- 
condition  inspections,  from  a purely  practical  standpoint  the  default 
action  would  be  no  scheduled  maintenance.  This  is  usually  the  case, 
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THE  DIMENSIONS  OF  A SCHEDULED- 
MAINTENANCE  PROGRAM 


THE  ROLE  Of  THE  BASIC  TASKS 

The  maintenance  activities  required  to  support  any  type  of  complex 
* quipment  include  routine  servicing,  periodic  inspections,  and  the  per- 
formance of  any  corrective  maintenance  necessary  when  a condition  is 
found  to  be  unsatisfactory.  Scheduled  tasks  are  selected,  however,  on 
the  basis  of  the  ways  in  which  a particular  item  can  fail.  In  considering 
all  the  known  or  anticipated  failure  modes  of  each  item  we  find  that 
many  major  components  cannot  benefit  from  any  type  of  preventive 
maintenance,  some  will  require  a single  task,  aiid  others  will  require 
several  different  tasks.  The  maintenance  tasks  assigned  to  a complex 
item  such  as  an  aircraft  turbine  engine,  for  example,  are  quite  numer- 
ous. Following  are  just  a few  of  the  inspection  tasks  performed  while 
the  engine  is  installed: 

► Oil-screen  inspection  to  detect  metal  particles 

► Borescope  inspection  of  the  combustor  to  detect  signs  of  metal 
fatigue 

► "Sniff  test"  of  the  fuel  manifold  to  detect  fuel  odors 

► "Broomstick  check"  to  detect  loose  turbine  blades 

► Inspection  of  the  fan  blades  and  front  compressor  blades  fi  pos- 
sible damage 

► Inspection  for  rattling  noise  to  detect  broken  tie  bolts 

p-  Radioisotope  inspection  of  nozzle  guide  vanes  for  deformation 

► Spectrographic  oil  analysis  to  detect  metallic  indications  of  wear 

Recognition  of  the  criteria  for  applicability  of  scheduled  rework 
has  led  to  a great  reduction  in  the  number  of  items  removed  and  sent 
to  the  shop  for  routine  overhaul.  Items  are  still  removed  from  equip- 
ment and  sent  to  the  maintenance  base,  however,  either  because  they 
have  failed  or  because  they  contain  parts  that  require  scheduled  rework 
or  discard.  In  this  case  it  is  necessary  to  decide  the  extent  of  the  work  to 
be  done  before  these  items  are  returned  to  service.  Within  the  frame  of 
reference  dictated  by  the  applicability  of  rework  tasks,  there  are  only 
four  circumstances  under  which  rework  would  be  specified: 

► Single  parts  may  require  rework  as  the  result  of  an  inspection  for 
potential  failures  that  can  be  performed  only  when  an  item  is  dis- 
assembled in  the  shop.  This  applies  to  certain  types  of  turbine 
blades. 
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► Single  parts  may  require  rework  because  their  failure  characteris- 
tics show  that  they  will  benefit  from  an  age  limit.  This  is  the  case 
with  some  fuel  manifolds. 

► Single  parts  may  have  to  be  discarded  because  they  have  reached 
a specified  life  limit.  This  applies  to  the  safe-life  limits  imposed  on 
most  compressor  and  turbine  disks. 

► Single  parts  may  have  to  be  reworked  or  discarded  because  shop 
inspection  discloses  a functional  failure  that  was  not  observable 
when  the  item  was  installed  on  the  equipment. 

The  amount  of  work  specified  as  part  of  shop  maintenance  de- 
pends, of  course,  on  the  nature  of  the  item.  With  some  the  direct  cause 
of  a failure  is  corrected,  and  if  the  component  can  then  meet  its  perfor- 
mance standards,  it  is  returned  to  service.  This  practice  is  sometimes 
referred  to  as  conditional  overhaul.  Other  items,  such  as  turbine  engines, 
may  have  a great  deal  of  additional  work  done  on  them  while  they  are 
out  of  service.  The  work  performed,  however,  is  very  much  less  than 
that  done  under  hard-time  overhaul  policies.  As  a result,  the  RCM 
approach  to  rework  tasks  has  substantially  decreased  engine  mainte- 
nance costs,  not  only  by  reducing  the  volume  of  units  flowing  through 
the  maintenance  base,  but  also  by  reducing  the  amount  of  work  re- 
quired when  they  are  there. 

The  propulsion  system  is  not  the  only  complex  item  on  an  aircraft; 
however,  it  is  a system  closely  associated  with  operating  safety,  and  the 
largest  part  of  the  maintenance  costs  for  any  aircraft  stem  from  sched- 
uled or  unscheduled  work  on  engines.  Because  of  this,  on-condition 
inspections  play  a major  role  in  powerplant  maintenance  programs,  and 
scheduled  removals,  when  they  are  necessary,  are  set  at  the  maximum 
interval  that  will  allow  satisfactory  operation. 

SERVICING  AND  LUBRICATION 

Complex  equipment  requires  numerous  scheduled  servicing  and  lubri- 
cation tasks  to  maintain  satisfactory  operation.  There  is  usually  no 
question  about  which  tasks  are  required  and  whether  they  are  appli- 
cable and  effective.  However,  it  is  interesting  to  review  this  aspect  of 
maintenance  in  light  of  our  discussion  thus  far. 

Lubrication,  for  example,  really  constitutes  scheduled  discard  of  a 
single-celled  item  (the  old  lubrication  film).  This  task  is  applicable  be- 
cause the  film  does  deteriorate  with  operating  age  and  show  wearout 
characteristics.  Usually  the  condition  of  the  film  cannot  be  determined; 
hence  conservatively  short  intervals  are  assigned  for  its  replacement  with 
new  lubricant  Such  tasks  are  also  cost-effective.  An  item  is  lubricated 
whither  it  needs  lubrication  or  not  because  the  cost  is  minuscule  in 


72  THEORY  AND  PRINCIPLES 


comparison  to  the  costs  that  would  result  from  inadequate  lubrication. 
In  tact,  the  cost  of  this  task  is  too  low  to  justify  studies  to  determine  the 
most  economical  task  interval.  As  a result,  lubrication  is  rarely  isolated 
for  in-depth  analysis  in  developing  a maintenance  program. 

Whereas  lubrication  constitutes  a discard  task,  the  servicing  tasks  - 
checking  tire  pressure  or  fluid  levels  in  oil  and  hydraulic  systems  — are 
on-condition  tasks.  In  this  case  potential  failures  are  represented  by 
pressure  or  fluid  levels  below  the  replenishment  level,  and  Ibis  condi- 
tion is  corrected  in  each  unit  as  necessary. 

ZONAL  INSriCTIONS  AND  WALKAROUND  CHECKS 

In  contrast  to  servicing  and  lubrication  tasks,  zonal  inspections  and 
walkaround  checks  of  aircraft  structures  do  not  fall  within  the  realm  of 
RCM  task  definition.  Walkaround  checks  are  intended  to  spot  acciden- 
tal damage  and  fluid  leaks  and  hence  might  be  viewed  as  combination 
on-condition  and  failure-finding  inspections.  In  fact,  they  do  include  a 
few  specific  on  condition  tasks,  such  as  a check  of  brake  wear  indica- 
tors. However,  damage  can  occur  at  any  time  and  is  unrelated  to  any 
definable  level  of  failure  resistance.  As  a result,  there  is  no  basis  tor 
defining  an  explicit  potential-failure  stage  or  a predictable  interval 
between  a potential  failure  and  a functional  failure.  Similarly,  a check 
for  leaks  is  not  based  on  the  failure  characteristics  of  a particular  item, 
but  rather  is  intended  to  spot  any  unforeseen  exceptions  in  failure 
behavior. 

Zonal  inspections  arc  even  less  specific.  They  are  not  directed  at 
any  particular  failure  mode,  but  arc'  merely  a survey  of  the  general  con- 
ditions within  a given  zone,  or  area,  of  the  equipment.  Zonal  inspec- 
tions include  a check  of  all  the  system  assemblies  and  connecting  lines 
in  each  zone  for  security  (loose  parts),  obvious  signs  of  damage  or  leaks, 
and  normal  wear  and  tear  as  a result  of  other  maintenance  activities.  In 
the  powerplant  this  inspection  includes  looking  into  the  engine  tailpipe 
and  inlet,  opening  the  cowling  and  examining  all  the  engine-mounted 
accessories,  and  so  on.  Such  inspections  play  an  important  role  in  struc- 
tural maintenance  since  thev  also  include  a general  inspection  of  the 
internal  structural  areas  that  can  be  seen  with  all  installations  in  place. 
Thus  they  complement,  but  are  not  a substitute  tor.  the  program  of  de- 
tailed on-condition  inspections  developed  tor  structurally  significant 
items. 

Although  zonal-installation  inspections  do  not  meet  the  applica- 
bility ci  '.teria  for  any  of  the  tour  basic  tasks,  their  cost  is  such  a small 
part  ot  the  total  cost  ot  scheduled  maintenance  that  thev  are  econom- 
ically justified  it  they  result  in  the  discovery  ot  even  a tew  potential 
failures,  l-'or  this  reason  any  RCM  program  is  supplemented  bv  a sepa- 
rate program  ot  scheduled  zonal  inspections 
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EXHIBIT  3 '9  A breakdown  ot  tlu'  lota;  maintenance  workload  ol 
18.8  manhours  per  (light  luuir  on  the  United  Airlines  tleet  of  Boeing 
747  s,  Data  ate  tor  |.inuar\- November  1475  and  Jo  not  include  man- 
hours expended  to  accomplish  modifications.  (United  Airlines) 
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THE  TOTAL  MAINTENANCE  WORKLOAD 

The  total  maintenance  workload  required  fo  support  complex  equip- 
ment consists  of  all  the  work  performed  as  scheduled  maintenance,  plus 
the  corrective-maintenance  work  required  to  repair  failed  units.  Exhibit 
3.9  illustrates  the  ratio  of  these  two  aspects  of  maintenance  for  an  air- 
craft supported  by  a scheduled-maiutenance  program  that  is  essentially 
the  same  as  an  RCM  program.  The  scheduled  tasks  comprised  some- 
what less  than  10  percent  of  the  total  manhours  spent  on  maintenance, 
yet  these  tasks  ensured  realization  of  all  the  reliability  of  which  the 
equipment  was  capable.  Additional  scheduled  work  would  have  in- 
creased costs,  but  it  would  not  have  improved  reliability. 

Approximately  75  percent  of  the  corrective  work  was  done  at  the 
major  maintenance  base  as  a result  of  the  line-maintenance  practice  of 
replacing  failed  units  with  serviceable  ones.  About  half  the  corrective 
work  was  done  on  engines.  The  only  way  the  corrective  workload  can 
be  reduced  is  by  design  changes  that  improve  the  inherent  reliability  of 
the  items  that  are  failing.  Such  changes  are  usually  directed  at  dominant 
failure  modes  in  items  whose  failure  has  safety  or  major  economic  con- 
sequences. In  this  case  the  engine  failures  do  have  serious  economic 
consequences,  and  this  engine  is  still  undergoing  intensive  develop- 
ment. 

The  absolute  size  of  the  scheduled  workload  for  this  aircraft  will 
not  change  very  much  from  its  1975  value,  but  the  corrective  workload 
will  decrease  substantially  as  product  improvement  overcomes  those 
problems  which  require  high  manhour  expenditures.  Consequently  the 
relative  proportions  of  the  workload  components  may  change  in  the 
next  several  years.  At  some  time  in  the  future  both  components  may 
increase  again  as  a result  of  conditions  that  do  not  occur  until  much 
later  age.-*. 

3 * 7 PRODUCT  IMPROVEMENT  AS 
PREVENTIVE  MAINTENANCE 

Over  the  years  aircraft  manufacturers  have  incorporated  a number  of  inherent  reliability 

design  features  that  have  increased  the  inherent  capability  of  the  equip-  1 ai  ..... 

. ....  . . . . . . . nn-thoUs  of  coping  with  the 

ment  tor  reliable  operation.  In  most  cases  these  practices  are  intended  tailurv  process 

not  to  prevent  failure,  but  to  reduce  its  consequences  to  the  cost  of  cor-/ 

rective  maintenance.  Thus  most  systems  items  are  designed  with  a high 

degree  of  redundancy  to  ensure  that  if  one  unit  fails,  the  necessary 

function  will  still  be  available.  On  the  same  principle,  structures  are 

designed  with  multiple  load  paths  so  that  they  are  damage-tolerant. 

Protective  devices  may  also  consist  of  entirely  separate  components,  as 

in  the  case  of  emergency  equipment  — fire  extinguishers,  automatically 

released  oxygen  equipment  in  passenger  aircraft,  and  ejection  seats  in 

single-engine  military  aircraft.  section  W 75 


Another  common  practice  is  failure  substitution.  This  may  be  the 
substitution  of  a minor  functional  failure  to  preempt  a major  one,  as  in 
the  use  of  automatic  shutoff  devices.  Or  it  may  be  a feature  included  to 
permit  easy  identification  of  a potential  failure;  for  example,  the  outer 
skin  of  an  a'  craft  may  be  designed  to  crack  before  the  structural  mem- 
ber beneath  it  fails,  so  that  there  is  evidence  of  an  imminent  failure  that 
can  be  detected  by  visual  inspection.  Inspection  features  such  as  bore- 
scope  ports  in  engines  also  facilitate  the  detection  of  potential  failures 
that  would  otherwise  be  difficult  to  check  for. 

All  these  features  are  important  from  the  standpoint  of  preventive 
maintenance,  since  they  determine  both  the  feasibility  of  certain  tasks 
and  the  failure  consequences  by  which  task  effectiveness  is  measured. 
On  a short-term  basis,  however,  any  scheduled-maintenance  program 
must  be  built  around  the  reliability  characteristics  of  the  equipment  us 
it  exists.  In  the  case  of  new  equipment,  therefore,  it  is  important  to  bear 
in  mind  a basic  conflict  between  certain  design  goals  and  reliability 
goals.  This  problem  is  nowhere  more  apparent  than  in  modem  aircraft, 
where  the  requirement  for  lightness  and  compactness  is  in  direct  oppo- 
sition to  the  strength  and  bulk  that  is  necessary  for  failure  resistance. 
A further  difficulty  is  posed  by  the  rush  to  new  technology,  since  this 
means  that  the  designer  is  often  working  with  new  components  and 
even  new  materials  whose  reliability  has  not  been  proved  by  experience. 

There  are  several  pitfalls  here.  Designing  for  lightness,  for  example, 
correspondingly  reduces  the  initial  margin  between  resistance  and 
stress.  Even  with  familiar  materials,  the  actual  strength  of  a material 
may  be  less  than  its  nominal  strength,  or  the  rate  at  which  its  failure 
resistance  declines  may  be  greater  than  expected.  With  unfamiliar  ma- 
terials and  processes  the  likelihood  is  increased  in  both  these  areas.  The 
design  goal  of  compactness  may  lend  to  the  same  results  and  to  other 
problems  as  well.  In  a more  compact  area  an  item  that  functioned  well 
in  a different  environment  may  be  exposed  to  higher  temperatures  or 
to  vibration  from  neighboring  components.  Such  items  are  also  likely 
to  be  more  difficult  to  reach  for  inspection  or  replacement. 

Where  reliability  problems  are  inherent  in  the  design  itself,  there 
are  three  ways  of  coping  with  the  failure  process: 

► Increasing  the  initial  resistance  to  failure 

► Reducing  the  rate  at  which  failure  resistance  decreases 

► Reducing  the  stress  to  which  the  item  is  exposed 

All  three  of  these  effects  are  shown  in  Exhibit  3.10. 

Reliability  improvement  in  each  of  these  areas  can  take  any  number 
of  forms.  In  some  instances  the  solution  may  be  a modification  in  oper- 
ating procedures.  For  example,  the  use  of  more  reverse  thrust  and  less 
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EXHIBIT  3 -10  Methods  of  coping  with  the  failure  process.  An  item 
may  be  redesigned  to  increase  its  initial  failure  resistance,  to  reduce 
the  rate  at  which  failure  resistance  decays,  or  both.  At  the  same 
time,  various  strategies  may  be  employed  to  reduce  the  stress  to  which 
the  item  is  exposed.  Any  or  all  of  these  procedures  will  improve 
reliability  by  moving  the  point  of  functional  failure  farther  into  the 
future,  and  thus  increasing  the  mean  time  between  failures. 


the  brakes  (although  it  increases  the  cumulative  stress  on  the  reverser). 
Since  this  procedure  will  also  increase  the  life  of  the  tires,  it  has  several 
implications  for  maintenance.  In  general,  however,  when  unsatisfac- 
tory reliability  characteristics  result  in  exposure  to  critical  failures  or 
excessive  operational  or  maintenance  costs,  the  only  effective  form  of 
prevention  is  redesign  — either  to  alleviate  the  problem  or  to  mitigate 
its  consequences. 

When  a critical-failure  mode  is  involved,  and  no  form  of  scheduled 
maintenance  can  be  found  that  will  effectively  control  it,  product  im- 
provement is  mandatory.  Otherwise  the  desirability  of  redesign  de- 
pends on  an  assessment  of  the  costs  involved  on  both  sides.  Since  this 
information  is  ordinarily  not  available  until  after  the  equipment  has 
been  in  service  for  some  time,  items  that  may  ultimately  be  redesigned 
on  the  basis  of  actual  operating  costs  are  often  assigned  to  no  scheduled 
maintenance  in  a prior-to-service  program. 
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developing  the  initial  program 


AN  INITIAL  scheduled-maintenance  program  must  be  developed  for  new 
equipment  long  before  it  enters  service.  While  it  might  be  possible  to 
obtain  a small  mountain  of  test  data  on  every  part,  assembly,  and  sub- 
system, the  information  about  their  actual  reliability  comes  only  from 
operating  experience.  Thus  the  problem  in  basing  a maintenance  pro- 
gram on  reliability  characteristics  might  appear  to  be  a lack  of  the  veiy 
information  that  is  needed.  In  reality  the  problem  is  not  the  lack  of 
information;  rather,  it  is  knowing  what  information  is  necessary  in 
order  to  make  decisions. 

The  RCM  solution  to  this  problem  is  a structured  decision  process 
based,  not  on  an  attempt  to  estimate  the  reliability  of  each  part,  but  on 
the  consequences  of  functional  failures  for  the  equipment  itself.  The 
decision  process  thus  proceeds  from  the  top  down,  first  to  identify  those 
items  whose  failure  is  significant  at  the  equipment  level  and  then  to 
determine  what  scheduled  maintenance  can  do  for  each  of  these  items. 
At  each  step  of  the  analysis  the  decision  is  governed  by  the  nature  of 
the  failure  consequences.  This  focus  establishes  the  priority  of  main- 
tenance activity  and  also  permits  us  to  define  the  effectiveness  of  pro- 
posed maintenance  tasks  in  terms  of  the  results  they  must  accomplish. 
Once  this  determination  has  been  made,  we  are  in  a position  to  examine 
each  of  the  four  possible  forms  of  preventive  maintenance  to  see  which 
tasks,  if  any,  are  both  applicable  and  effective  for  the  item  undei 
consideration. 
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tasks  is  facilitated  by  a decision-diagram  technique  which  employs  an 
ordered  set  of  priorities— in  the  case  of  both  failure  consequences  and 
task  selection  — with  the  questions  at  each  level  worded  to  define  the 
information  required  for  that  decision.  In  many  cases  the  answer  will 
be  obvious  from  engineering  expertise.,  the  manufacturer's  test  data, 
and  previous  experience  with  similar  items.  However,  in  developing 
a prior-to-service  maintenance  program  a strategy  is  required  for 
decision  making  when  the  appropriate  information  is  not  available. 
Thus  the  decision  logic  also  provides  for  default  answers  to  meet  this 
situation.  For  an  item  subject  to  critical  failures,  the  default  pc 1 h leads 
ultimately  to  redesign.  Where  the  consequences  of  failure  are  economic, 
the  default  decision  may  be  to  do  nothing  (no  scheduled  maintenance) 
until  operating  experience  provides  the  information  to  justify  some 
other  choice. 

The  result  of  RCM  analysis  is  a scheduled-maintenance  program 
that  includes  all  scheduled  tasks  necessary  to  ensure  safety  and  oper- 
ating economy,  but  only  those  tasks  that  will  do  so.  Where  there  is  no 
basis  for  determining  whether  a particular  task  will  prove  applicable 
and  effective,  the  default  strategy  provides  the  most  conservative  an- 
swer. and  as  the  maintenance  program  evolves,  these  initial  decisions 
are  s\  stematically  modified  on  the  basis  of  actual  operating  data.  This 
process  continues  throughout  the  service  life  of  the  equipment,  so  that 
the  decision  structure  provides  for  an  optimal  program  in  terms  of  the 
information  available  at  any  time.  In  this  chapter  we  will  examine  the 
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decision  process  as  it  relates  to  commercial  aircraft.  However,  the  deci- 
sion logic  itself  is  general  and  applies  to  any  complex  equipment  that 
requires  a maintenance  support  program  designed  to  realize  maximum 
operating  reliability  at  the  lowest  cost. 


4*1  THE  NATURE  OF  SIGNIFICANT  ITEMS 

identifying  significant  items  A transport  plane  consists  of  a vast  number  of  parts  and  components, 
structurally  significant  items  all  of  which  have  specific  functions.  All  these  items  can  be  expected  to 
functionally  significant  items  fail  at  one  time  or  another,  but  some  of  the  failures  have  more  serious 

consequences  than  others.  Certain  kinds  of  failures  are  a threat  to  safety, 
and  others  have  a direct  effect  on  operating  capability.  However,  there 
are  tens  of  thousands  of  items  whose  failure  has  no  immediate  impact 
on  the  equipment  as  a whole.  The  failures  are  simply  corrected  soon 
after  they  occur,  and  the  only  consequence  is  the  cost  of  repair.  These 
items  have  no  significance  from  the  standpoint  of  preventive  main- 
tenance in  the  sense  that  their  consequences  are  tolerable.  It  is  less 
expensive  to  leave  them  in  service  until  they  fail  than  it  would  be  to 
prevent  the  failures.  Thus  the  initial  decision  for  these  tens  of  thou- 
sands of  items  is  no  scheduled  maintenance. 

The  information  on  which  to  base  this  decision  ordinarily  comes 
from  the  manufacturer,  who  has  had  to  face  the  problem  of  failures 
during  the  design  and  development  of  the  equipment.  In  order  to 
qualify  the  aircraft  for  airworthiness,  the  manufacturer  will  have  con- 
ducted a failure  modes  and  effects  analysis  (FMEA)  for  all  the  major 
assemblies,  subsystems,  and  systems  to  demonstrate  how  the  equip- 
ment will  perform  when  various  items  fail.  In  addition,  the  purchasing 
airlines  will  have  knowledge  of  operating  experience  with  similar  items 
in  the  past,  as  well  as  knowledge  of  the  failure  consequences  in  the 
particular  operating  context  in  which  the  equipment  is  to  be  used. 

The  failures  that  are  of  concern  are  those  which  have  serious  con- 
sequences. Thus  an  RCM  program  directs  tasks  at  a relatively  small 
number  of  items  — those  systems,  subsystems,  and  assemblies  whose 
functional  failure  would  be  significant  at  the  equipment  level,  either 
immediately  or  downstream  in  the  event  of  a hidden  failure. 

IDENTIFYING  SIGNIFICANT  ITEMS 

The  first  step  in  the  development  of  a scheduled-maintenance  program 
is  a quick,  approximate,  but  conservative  identification  of  a set  of 
significant  items: 


A significant  item  is  one  whose  failure  could  affect  operating  safety  or 
have  major  economic  consequences. 
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The  definition  of  "major  economic  consequences"  will  vary  from  one 
operating  organization  to  another,  but  in  most  cases  it  includes  any 
functional  failure  that  has  a direct  effect  on  operational  capability  or 
involves  a failure  mode  with  unusually  high  repair  costs. 

So  far  we  have  used  the  term  item  in  a very  general  sense  to  refer  to 
some  component  of  th  equipment.  An  item  can,  in  fact,  be  of  any  size; 
the  entire  aircraft  might  be  viewed  as  an  item,  as  might  any  one  of  its 
parts.  However,  the  larger  and  more  complex  the  item,  the  more  un- 
wieldy the  set  of  failure  possibilities  that  must  be  taken  into  account. 
To  reduce  the  problem  of  anal)  sis  to  manageable  size,  it  is  customary  to 
partition  the  equipment  into  three  major  divisions  — systems,  power- 
plant,  and  structure  — each  of  which  involves  different  areas  of  engineer- 
ing expertise.  Each  division  is  then  partitioned  in  descending  order  of 
complexity,  with  successively  fewer  failure  possibilities  at  each  level. 

The  chore  now  is  to  sort  through  the  functions  and  failure  possi- 
bilities of  the  various  components  and  eliminate  all  the  obviously  non- 
significant items.  To  ensure  that  borderline  cases  and  items  for  which 
information  is  lacking  will  always  teceive  further  study,  any  items 
eliminated  at  this  stage  must  be  demonstrated  to  be  nonsignificant. 
Items  may  be  classified  as  nonsignificant  because  their  functions  are 
unrelated  to  operating  capability  or  because  they  are  replicated,  so  that 
a functional  failure  would  not  affect  operating  capability.  Many  items 
can  be  eliminated  because  their  failures  can  be  repaired  quickly  and 
therefore  involve  no  operational  consequences.  Other  items  may  be 
ruled  out  later  because  they  are  not  candidates  for  on-condition  or  safe- 
life  tasks  and  hence  cannot  benefit  from  scheduled  maintenance  (there 
is  usually  no  information  on  the  applicability  of  rework  tasks  at  this 
time).  At  this  stage,  however,  all  the  items  that  might  benefit  from 
scheduled  maintenance  must  be  listed  for  further  study. 

During  the  process  of  classifying  items  as  significant  or  nonsignifi- 
cant certain  items  will  be  identified  that  have  hidden  functions.  All 
these  items  will  require  scheduled  maintenance  regardless  of  their 
significance.  Although  the  loss  of  a hidden  function  has  no  direct  effect 
on  safety  or  operating  capability,  an  undetected  failure  exposes  the 
equipment  to  the  :isk  of  a multiple  failure  which  might  have  serious 
consequences.  Hence  hidden-function  items  are  subjected  to  the  same 
intensive  analysis  as  significant  items. 

Note  that  all  items  will  in  fact  be  included  by  this  procedure,  since 
the  partitioning  process  itself  has  the  following  properties: 

► Any  item  containing  a significant  item  is  itself  significant. 

I*  Any  nonsignificant  item  is  contained  in  a higher-level  significant 

item. 

► Any  lower-level  item  contained  in  a nonsignificant  item  is  itself 

nonsignificant. 


Wife*  , 
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EXHIBIT  4-1  Partitioning  an  aircraft  for  preliminary  identification  of 
significant  items.  The  equipment  is  firs*  partitioned  to  show  all  items 
in  descending  order  of  complexity.  Those  items  whose  failure  clearly 
has  no  significant  conr  quences  at  the  equipment  level  are  then  pruned 
from  thedree,  leav.ng  the  set  of  items  on  which  maintenance  studies 
mu  . he  conducted.  Each  significant  iht.  will  include  as  failure 
mode*  all  the  failure  possibilities  it  contains. 

The  objective,  however,  is  to  find  the  most  convenient  level  of  each 
system  or  assembly  to  classify  as  significant.  The  level  must  be  low 
enougn  to  ensure  that  no  important  failure  possibilities  are  overlooked, 
but  high  enough  for  the  loss  of  function  to  have  an  impact  on  the  equip- 
ment itself,  since  the  consequences  of  a iunctional  failure  are  significant 
only  at  the  equipment  level  — that  is,  for  the  aircraft  as  a whole. 

Once  the  optimum  level  of  item  has  been  selected  for  study  in  each 
case,  we  can  prune  the  “tree"  back  to  a set  of  several  hundred  poten- 
tially significant  items  with  the  assurance  that  any  failure  possibilities 
thej‘  include  at  lower  levels  will  be  taken  into  account  as  failure  modes. 
As  an  example,  consider  the  engine  described  in  Section  3.1,  in  which 
failute  of  one  or  more  individual  tie  bolts  in  a set  of  24  was  defined  as 
a potential  failure.  Although  this  might  be  viewed  as  a functional  fail- 
ure of  the  tie  bolt,  the  failure  of  a single  bolt  does  not  affect  engine 
performance  enough  to  be  evident  to  the  operating  crew,  consequently 
the  t!e  bolt  is  not  a significant  item.  It  does,  however,  have  a hidden 
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would  indeed  become  evident.  The  inspection  task  selected  to  avoid 
such  a multiple  failure  would  still  be  the  ore  described  in  Exhibit  3.2  — 
a check  for  broken  tie  bolts.  However,  viewed  from  the  engine  level  this 
is  an  on-condition  task,  whereas  at  the  parts  level  it  wouid  be  considered 
a failure-finding  task. 

In  other  words,  the  level  of  item  selected  as  significant  is  important 
only  as  a frame  of  reference.  Whether  we  look  up  at  a multiple  failure  or 
down  at  a failure  mode,  an  analysis  of  all  the  failure  possibilities  will 
ultimately  lead  to  exactly  the  same  preventive  task.  The  chief  advantage 
of  the  partitioning  process  is  that  it  allows  us  to  focus  intensive  study 
on  just  a few  hundred  items  instead  of  many  thousands.  In  an  aircraft 
these  items  will  include  some  of  the  parts  and  assemblies,  some  sub- 
systems, each  of  the  systems,  and  each  of  the  majordivisions  themselves. 
The  parts  selected  as  significant  are  usually  those  in  which  a critical 
failure  mode  originates.  The  structure  division  represents  a special 
case,  since  the  significant  items  are  specific  regions  that  require  sched- 
uled maintenance,  rather  than  whole  structural  assemblies. 
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STRUCTURALLY  SIGNIFICANT  ITtMS 

The  significant  item9  in  each  of  the  major  divisions  of  an  aircraft  have 
certain  common  characteristics  which  relate  to  their  maintenance  re- 
quirements, For  example,  the  aircraft  structure  is  a relatively  static 
assemblage  of  single-celled  elements,  and  except  for  items  such  as 
control  surfaces,  landing  gear,  or  doors,  the  only  structi  ral  movement  is 
deflection  under  applied  loads.  However,  the  structure  is  subjected  to 
a great  many  such  loads  in  the  course  of  its  operating  life.  As  we  saw  in 
Chapter  2,  single-celled  parts  of  a mechanism  frequently  exhibit  wear- 
out  characteristics.  This  is  true  of  metallic  structural  elements,  which 
are  subject  to  metal  fatigue -that  is,  to  a reduction  in  failure  resistance 
with  increasing  age. 

Another  physical  process  that  can  lead  to  the  age-related  fa  'ure  of 
structural  elements  is  corrosion,  although  the  effects  of  corrosion  are 
much  less  predictable  than  those  of  fatigue.  Even  minor  pitting  seri- 
ously reduces  both  static  strength  and  fatigue  life,  since  the  loss  of  load- 
carrying material  correspondingly  increases  the  stress  on  the  rest  of  the 
elet  tent.  Accidental  damage  has  a similar  effect  in  preventing  structural 
components  from  realizing  their  inherent  fatigue  resistance.  Thus, 
although  the  aircra  . structure  is  designed  for  a very  long  fatigue  life,  it 
is  subject  not  only  10  age-related  failure  in  general,  but  to  physical  pro- 
cesses that  compound  the  decline  in  failure  resistance  with  age. 

The  failure  of  a major  structural  assembly  which  causes  the  loss  of 
some  basic  structural  function  — such  as  enabling  aerodynamic  lilting 
forces  to  balance  the  weight  of  the  airplane  or  providing  flight-control 
surfaces  for  maneuvering  capability  — clearly  has  safety  consequences. 
Moreover,  any  failures  short  of  a critical  failure— failures  that  do  not 
result  in  a loss  of  function  to  the  aircraft  — will  usually  not  be  evident  to 
the  operating  crew.  The  primary  consideration  in  identifying  significant 
structural  members,  therefore,  is  the  effect  that  failure  of  a member  has 
on  the  residual  strength  of  the  remaining  assembly,  although  considera- 
tion is  also  given  to  susceptibility  to  corrosion  and  accidental  damage. 

The  generic  term  structurally  significant  item  (SSI)  is  used  to  denote 
each  specific  structural  region  that  requires  scheduled  maintenance  to 
guard  against  the  fracture  of  a significant  member.  This  region  may  be 
defined  ar  a site  that  includes  a number  of  structural  elements,  it  may 
be  defined  as  the  significant  member  itself,  or  it  may  be  a particular  re- 
gion on  the  member  that  is  the  best  indicator  of  its  condition.  Often  such 
items  are  the  points  at  which  different  structural  elements  are  joined; 
for  example,  the  wing-to-fuselage  joint  is  always  listed  as  a structurally 
significant  item.  Most  aircraft  structure  is  maintained  by  on-condition 
inspe^  ns  of  the  regions  identified  as  structurally  significant  items. 
These  inspections  are  designed  to  identify  and  repair  corrosion,  fatigue, 
and  other  damage  at  the  earliest  possible  stage,  since  the  replacement  of 
84  THEORY  AND  PRINCIPLES  a failed  structural  element  is  both  difficult  and  expensive. 
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FUNCTIONALLY  SIGNIFICANT  ITEMS 

Unlike  structural  items,  most  systems  are  equipped  with  instrumenta- 
tion to  monitor  the  performance  both  of  the  system  as  a whole  and  of 
individual  assemblies  within  it.  As  a result,  the  occurrence  of  any  func- 
tional failure  in  a system  is  usually  evi.tent  to  the  operating  crew.  More- 
over, most  systems  are  designed  to  be  highly  redundant,  so  that  the 
faillire  of  one  unit  often  has  no  effect  on  operational  capability.  Unless 
a second  unit  fails,  the  aircraft  is  dispatched  as  usual,  and  corrective 
maintenance  is  simply  deferred  to  a convenient  time  and  location.  Thus, 
although  the  system  as  a whole  is  a functionally  significant  item  (FS1),  the 
units  that  comprise  it  would  be  classified  as  nonsignificant,  since  their 
individual  failures  have  no  consequences  at  the  equipment  level. 

Systems  items  differ  in  two  other  ways  from  structural  items.  Most 
systems  components  are  themselves  multicelled,  or  complex;  hence 
their  overall  reliability  shows  little  or  no  deterioration  with  age.  Certain 
metal  parts  in  mechanical  systems  are  subject  to  fatigue  and  corrosion, 
but  these  arc-  rarely  responsible  for  a dominant  failure  mode.  To  meet 
space  and  weight  requirements,  systems  components  are  usually  de- 
signed with  a narrow  margin  between  initial  failure  resistance  and 
stress.  Since  they  are  therefore  subject  to  more  frequent  failure,  the 
system  is  usually  also  designed  to  facilitate  the  replacement  of  failed 
units.  A further  distinction  between  systems  and  strictural  items  is 
that  certain  systems  items,  such  as  electrical  and  electror  ic  components, 
are  characteristically  unable  to  benefit  from  scheduled  maintenance, 

Although  the  powerplant  is  itself  a system,  it  warrants  a category 
of  its  own  because  of  its  complexity,  its  high  cost,  and  thu  critical  nature 
of  some  of  its  failure  modes.  The  shutdown  of  one  engine  in  a multi- 
engine  aircraft  has  operational,  but  not  safety,  consequences.  However, 
the  failure  of  turbine  or  compressor  disks  — or  any  other  failures  that 
generate  projectiles,  cause  fires,  or  leave  the  engine  so  that  it  cannot  be 
shut  down  — can  clearly  affect  safety,  these  failure  modes  are  always 
given  careful  attention  in  a maintenance  program. 

The  powerplant  can  be  viewed  as  a functionally  significant  item  in 
itself,  but  the  failure  characteristics  of  each  of  its  modules,  or  major 
subassemblies,  are  often  quite  different  from  those  of  the  engine  as  a 
whole.  For  example,  the  collective  probabilities  of  all  powerplant  fail- 
ures have  little  relation  to  operating  age,  whereas  single  important 
parts  may  be  subject  to  directly  age-related  failures.  Thus  scheduled - 
maintenance  tasks  in  the  powerplant  program  may  include  safe-life 
limits  for  some  items  and  scheduled  rework  for  others.  In  as  many 
instances  as  possible,  however,  on-condition  inspections  are  employed, 
both  to  avoid  the  consequences  of  functional  failuies  and  to  reduce  the 
costs  associated  with  scheduled  removals,  The  powerplant  is  unique 
from  a maintenance  standpoint  in  that  it  is  designed  to  permit  exten- 
sive inspection  capability  on  the  aircraft,  it  can  be  replaced  in  a fairly 


short  time  (although  unscheduled  replacements  have  operational  con- 
sequences), and  it  is  subject  to  extensive  shop  inspections  as  well. 

In  the  case  of  new  engines  there  may  be  some  failure  modes  that 
cannot  be  effectively  controlled  except  by  redesign.  The  occurrence  of 
an  unanticipated  type  of  failure  in  any  engine  prompts  an  immediate 
response  on  the  part  of  maintenance.  The  failure  consequences  are 
quickly  assessed  and  the  engine  is  examined  to  determine  the  cause  of 
the  failure.  Next,  some  method  is  usually  devised  for  inspecting  the  rest 
of  the  engines  in  service  (or  the  suspect  group  of  engines)  for  early  signs 
of  the  same  kind  of  failure.  These  inspections  forestall  further  failures 
while  the  part  is  being  redesigned.  The  alternative,  if  the  failure  is  criti- 
cal and  no  preventive  task  can  be  found,  is  grounding  the  fleet  until  the 
problem  can  be  solved, 

Because  items  within  the  powerplant  are  exposed  to  many  different 
forms  of  deterioration,  including  all  those  that  affect  the  structure  and 
the  various  systems,  they  have  no  common  failure  characteristic.  Unlike 
systems  items,  however,  all  engine  failures  have  operational  conse- 
quences and  some  failure  modes  have  safety  consequences.  For  this 
reason  significant  items  in  the  powerplant  are  identified  primarily  on 
the  basis  of  their  failure  effects.  The  very  complexity  of  the  powerplant 
results  in  one  further  characteristic.  Engines  are  subject  to  so  many 
failure  possibilities  that  operating  data  accumulate  rapidly,  especially 
with  use  on  multiengine  commercial  aircraft.  This  rapid  feedback,-along 
with  the  high  cost  of  corrective  maintenance  on  engines,  favors  the 
initial  selection  of  intensive  on-condition  inspections  for  powerplant 
items,  since  the  applicability  of  age-limit  tasks  can  be  investigated 
before  the  point  at  which  age-related  failures  would  have  any  major 
economic  impact. 

4*2  THE  RCM  DECISION  PROCESS 

evaluation  of  failure  The  partitioning  procedure  gives  us  a conservative  first  approximation 
consequences  Qf  ^e  ifems  that  mjght  benefit  from  scheduled  maintenance.  Each  of 
evaluation  of  proposed  tasks  ^tese  items  must  now  be  examined  in  detail  to  determine  whether  its 

failure  consequences  actually  qualify  it  as  significant  — and  if  so,  whether 
the  item  can  in  fact  benefit  from  scheduled  maintenance.  Even  when 
the  significance  of  an  item  is  confirmed,  there  may  be  no  form  of  pre- 
ventive maintenance  that  is  applicable  and  effective.  Such  items  cannot 
be  elirr  nnted  from  consideration,  however,  without  a full  analysis. 


item  and  a clear  definition  of  the  conditions  that  constitute  a functional 
failure  in  each  case,  It  is  also  necessary  to  know  the  failure  modes  in- 
volved in  order  to  determine  the  possible  effects  of  each  failure.  Once 
this  information  has  been  assembled  for  every  item  to  be  examined,  we 
are  in  a position  to  evaluate  the  actual  consequences  of  failure. 

As  a result  of  the  partitioning  process  certain  items  will  have  been 
identified  that  have  hidden  functions -that  is,  their  failure  will  not 
necessarily  be  evident  to  the  operating  crew,  The  first  matter  to  be 
ascertained  in  all  cases,  however,  is  whether  we  will  know  when  a 
failure  has  occurred.  The  following  question  is  necessary,  therefore,  to 
ensure  that  all  hidden  functions  are  accounted  for: 


Is  the  occurrence  of  a failure  evident  to  the  operating  crew  during  the 
performance  of  normal  duties? 


This  question  must  be  asked,  not  for  each  item,  but  for  each  function  of 
the  item.  The  loss  of  an  item's  basic  function  may  be  evident,  but  in 
many  cases  the  item  will  have  secondary  orothercharacteristic  functions 
whose  failure  will  not  be  evident  to  the  operating  crew, 

Recall  from  our  discussion  in  Chapter  2 that  any  functional  failure 
which  has  a direct  effect  on  operational  capability  — including  critical 
failures -will  always  be  evident  to  the  operating  crew.  If  the  effects  of  a 
failure  are  not  observable,  the  loss  of  function  has  no  immediate  impact. 
But  by  the  same  token,  there  is  no  assurance  that  the  failure  will  be 
reported  and  corrected.  Thus  if  the  answer  lo  this  first  question  is  no 
for  any  function,  scheduled  maintenance  is  required  for  that  item.  Thi 
purpose  of  the  task  is  not  necessarily  to  prevent  failures  of  the  hidden 
function,  but  to  prevent  exposure  of  the  equipment  to  a multiple  failure 
involving  that  item. 

In  the  case  of  a failure  that  is  evident  to  the  operating  crew,  the 
consequences  might  be  immediate;  we  therefore  need  to  know  how 
serious  they  are  likely  to  be: 


Does  the  failure  cause  a loss  of  function  or  secondary  damage  that 
could  have  a direct  adverse  effect  on  operating  safety? 


This  question  must  be  asked  for  each  functional  failure  and  for  each 
failure  mode,  Modern  design  practices  ensure  that  transport  aircraft  are 
exposed  to  very  few  critical  losses  of  function.  However,  certain  failure 
modes,  especially  in  engines,  do  cause  secondary  damage  that  poses  a 
safety  hazard,  Therefore  a yes  answer  to  either  aspect  of  this  question 
means  that  preventive  maintenance  is  mandatory  and  can  be  considered 
effective  onlv  if  it  prevents  all  occurrences  of  this  type  of  failure. 


i 


Safety 

consequences 


Operational  consequences  Nonoperational  consequences 

(economic)  (economic) 


Impact  immediate 


Impact  delayed 


Hidden-failure 

consequences 


EXHIBIT  4*2  Decision  diagram  lo  identify  significant  items  and 
hidden  functions  on  the  basis  of  failure  consequences.  Failures 
that  affect  safety  or  operating  capability  have  on  immediate  impact, 
since  the  aircraft  cannot  be  dispatched  until  they  have  been  corrected. 

The  impact  of  nonoperational  failures  and  hidden  failures  is  delayed 
in  the  sense  that  correction  can  be  deferred  to  a convenient  time  and 
location. 

If  the  answer  to  the  safety  question  is  no,  our  next  concern  is  with 
economic  consequences: 


Does  the  failure  have  a direct  adverse  effect  on  operational  capability? 


The  consequences  in  this  case  include  an  immediate  interruption  of 
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the  delay  or  cancellation  of  subsequent  flights  to  make  unscheduled  re- 
pairs—all  of  which  involve  an  economic  loss  beyond  the  cost  of  the 
repairs.  !n  this  case,  although  scheduled  maintenance  is  not  required 
for  safety  reasons,  it  may  be  desirable  on  economic  grounds.  Thus  if 
the  answer  to  this  question  is  yes,  any  applicable  preventive  tasks  must 
be  investigated  for  cost  effectiveness. 

If  the  failure  has  no  direct  effect  on  operational  capability,  the  eco- 
nomic consequences  include  only  the  cost  of  repair.  However,  certain 
functional  failures  may  be  far  more  expensive  to  repair  than  to  prevent, 
especially  in  the  case  of  a failure  mode  that  causes  extensive  damage  to 
surrounding  items.  Although  scheduled  maintenance  is  more  likely  to 
prove  cost-effective  when  operational  capability  is  a factor,  there  are 
certain  failure  modes  for  which  it  is  often  desirable  to  investigate  the 
economic  benefits  of  a preventive  task. 

The  relationship  of  these  three  questions  and  the  decision  outcomes 
in  each  case  are  illustrated  in  Exhibit  4.2.  This  simple  decision-diagram 
approach  provides  us  with  the  following  basic  information  about  each 
failure  possibility: 

► We  know  whether  the  failure  will  be  evident,  and  therefore  re- 
ported for  correction. 

► We  know  whether  its  consequences  include  a possible  safety  haz- 
ard for  the  equipment  or  its  occupants. 

► We  know  whether  its  consequences  have  a direct  effect  on  opera- 
tional capability. 

► We  know  the  objective  of  preventive  maintenance  in  each  case,  and 
hence  the  criterion  for  evaluating  task  effectiveness. 

With  this  information  we  are  now  in  a position  to  evaluate  the  main- 
tenance possibilities  for  each  item. 

EVALUATING  THE  PROPOSED  MAINTENANCE  TASKS 

The  next  phase  of  RCM  analysis  involves  a systematic  study  of  each 
failure  mode  to  determine  whether  one  of  the  four  basic  maintenance 
tasks  will  satisfy  both  the  criteria  for  applicability  and  the  specific  con- 
ditions for  effectiveness.  Since  there  is  a clear  order  of  preference  for 
the  first  three  preventive  tasks,  we  can  again  use  a decision-diagram 
approach,  as  shown  in  Exhibit  4.3. 

The  first  task  to  be  considered  for  each  anticipated  failure  mode  of 
the  item  being  studied  is  an  on-condition  inspection: 

Is  .in  on-enndition  task  to  detect  potential  failures  both  applicable  and 
effective? 


If  the  answer  is  yes,  an  on-condition  inspection  task  is  put  into  the  pro- 
gram for  that  failure  mode.  If  we  obtain  yes  answers  for  all  the  failure 
modes  of  an  item,  the  analysis  of  that  item  is  complete. 

The  applicability  of  an  on-condition  task  can  be  determined  by 
engineering  specialists  who  are  familiar  with  the  design  characteristics 
of  the  item,  the  materials  used  in  it,  and  the  inspection  technology 
available.  Thus  this  information  will  be  on  hand  before  the  equipment 
goes  into  service.  At  the  time  an  initial  maintenance  program  is  devel- 
oped, however,  there  may  not  be  enough  information  to  determine 
whether  the  task  will  be  effective.  In  this  case  we  assume  that  it  will  be 
effective  and  establish  the  initial  inspection  intervals  according  to  the 


EXHIBIT  4*3  Decision  di.igr.im  to  evaluate  proposed  scheduled- 
maintcnance  tasks.  If  none  of  the  three  directly  preventive  tasks  meets 
the  criteria  for  applicability  and  effectiveness,  an  item  whose  failures 
are  evident  cannot  be  considered  to  benefit  from  scheduled  maintenance. 
If  the  item  has  a nidden  function,  the  default  action  is  a scheduled 
failure-finding  task. 


Discard  No  scheduled 

task  maintenance 


seriousness  of  the  failure  consequences.  Any  applicable  inspection  task 
can  be  made  effective  in  terms  of  failure  prevention  if  the  intervals  are 
short  enough,  and  if  operating  experience  later  shows  that  it  is  not  cost- 
effective,  the  task  will  be  deleted  from  the  program  at  the  next  review. 

If  an  on-condition  task  is  not  applicable  for  certain  failure  modes, 
the  next  choice  is  a scheduled  rework  task: 


Is  a rework  task  to  reduce  the  failure  rate  both  applicable  and  effective? 


In  this  case  the  question  of  applicability  as  well  as  effectiveness  requires 
an  analysis  of  operating  data.  Thus,  unless  the  a ^e-reliability  charac- 
teristics of  the  item  are  known  from  prior  expe  rence  with  a similar 
item  exposed  to  a similar  operating  environment,  the  assumption  in  an 
initial  program  is  that  an  item  will  not  benefit  from  scheduled  rework. 
In  the  absence  of  information,  the  answer  to  this  question  is  no,  and 
we  wait  for  the  necessary  information  to  become  available  after  the 
equipment  goes  into  service. 

A no  answer  to  the  rework  question  brings  us  to  the  question  of  a 
scheduled  discard  task: 


Is  a discard  task  to  avoid  failures  or  reduce  the  failure  rate  both  applicable 
and  effective? 


In  an  initial  maintenance  program  the  only  items  scheduled  for  discard 
will  be  those  for  which  the  manufacturer  has  specified  safe-life  limits. 
The  tasks  associated  with  those  items  are  put  into  the  program,  but  in 
nearly  all  other  cases  the  answer  at  this  stage  will  be  no. 


4-3  USE  OF  THE  RCM  DECISION  DIAGRAM 


The  small  decision  diagram  in  Exhibit  4.3  provides  the  essential  mecha- 
nism for  deciding  which,  if  any,  of  the  preventive-maintenance  tasks 
are  both  applicable  and  effective  for  a particular  item.  To  use  this  dia- 
gram, however,  it  is  necessary  to  know  the  failure  consequences  that 
determine  effectiveness  in  each  case  a>  d also  dictate  the  default  action 
to  be  taken  at  each  decision  level. 


the  full  RCM  decision  diagram 
use  of  the  four  consequence 
branches 

the  role  of  the  default  strategy 


THE  COMBINED  DECISION  DIAGRAM 

Exhibit  4.4,  which  brings  together  the  decision  questions  in  Exhibits  4.2 
and  4.3,  can  be  used  to  develop  an  RCM  program  either  for  new  equip- 
ment or  for  equipment  v. '.licit  is  already  in  service.  As  we  will  see  in 

Chapter  5,  it  can  also  be  used  to  modify  the  initial  program  as  new  SECTION  4-3  91 
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2 Does  the  failure  cause  a loss  of 
function  or  secondary  damage  that 
could  have  a direct  advene  effect 
on  operating  safety? 


3 Does  the  failure  have  a direct 
advene  effect  on  operational 
capability? 
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10  Is  a discard  task  to  avoid  failures 
or  reduce  the  failure  rate  both 
applicable  and  effective? 
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EXHIBIT  4 '4  The  RCM  decision  diagram.  These  questions  must  be 
asked  for  each  type  of  functional  failure  listed  for  the  item.  The  first 
three  questions  determine  the  consequences  of  that  failure,  and  hence 
the  objective  of  preventive  tasks.  (F.  S.  Nowlan  and  H.  F.  Heap) 
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information  becomes  available.  The  chapters  in  Part  Two  discuss  the 
application  of  RCM  analysis  to  each  of  the  three  majcr  divisions  of  the 
aircraft  — systems,  powerplant,  and  structures.  For  the  time  being,  how- 
ever, let  us  see  how  the  failure  consequences  influence  the  process  of 
task  selection. 

Consider  an  item  which  is  subject  to  a critical  failure.  The  answer 
to  question  1 is  yes,  since  any  failure  that  has  a direct  adverse  effect  on 
operating  safety  will  be  evident  to  the  operating  crew.  (This  answer 
refers,  of  course,  only  to  a loss  of  the  p a . ticular  function  under  consider- 
ation.) The  answer  to  question  2 is  a'so  yes,  since  the  failure  has  been 
stated  as  critical.  All  subsequent  questions  about  this  failure  possibility 
therefore  fall  in  the  safety  branch  of  the  diagram.  This  has  two  important 
implications  for  scheduled  maintenance: 

► Scheduled  maintenance  is  required  if  an  applicable  preventive  task 

can  be  found. 

► A task  can  be  considered  effective  only  if  it  reduces  the  risk  of 

critical  failure  to  an  acceptable  level. 

In  the  case  of  transport  aircraft  the  risk  must  be  at  a level  of  extreme 
improbability  to  be  acceptable,  but  in  the  general  case  an  acceptable 
level  does  exist.  For  example,  single-engine  aircraft  are  utilized  for 
various  civilian  and  military  applications. 

Each  failure  mode  that  might  result  in  this  failure  is  now  examined 
to  determine  which  of  the  proposed  preventive  tasks  will  accomplish 
the  necessary  objective.  If  an  on-condition  task  is  applicable  for  some 
failure  mode,  it  can  usually  be  made  effective  by  assigning  conserva- 
tively short  inspection  intervals  (a  yes  answer  to  question  4).  If  there 
are  failure  modes  for  which  on-condition  inspection  is  not  applicable, 
the  question  of  scheduled  rework  is  considered.  However,  in  an  initial 
program  the  failure  data  necessary  to  determine  the  applicability  of 
such  a task  are  rarely  available,  and  no  operating  organization  can 
aifcrd  the  number  of  critical  failures  required  to  provide  this  informa- 
tion. Thus  1 i the  case  of  a critical-failure  mode  the  answer  to  question  5 
is  no. 

This  brings  us  to  the  question  of  scheduled  discard  of  the  item  or 
part  in  which  the  critical  failure  originates  — that  is,  to  a safe-life  limit. 
In  determining  initial  program  requirements  engineering  advice  may 
indicate  that  such  a task  is  applicable.  Its  effectiveness  cannot  be  evalu- 
ated, however,  uniess  a safe-life  limit  has  been  established  by  develop- 
mental testing  under  simulated  operating  conditions.  If  a safe-life  limit 
has  been  established,  scheduled  discard  at  this  limit  is  required;  if  e 
life  limit  has  not  been  established  for  this  item,  the  answer  to  question 
94  THEORY  AND  PRINCIPLES  6 is  no. 


When  some  failure  mode  cannot  be  adequately  controlled  by  any 
one  of  the  preceding  tasks,  we  have  one  further  recourse: 


7 Is  a combination  of  preventive  tasks  both  applicable  and  effective? 


There  are  occasional  circumstances  in  which  a combination  of  two  or 
more  preventive  tasks  will  reduce  the  risk  of  critical  failure  to  an  accept- 
able level.  In  a single-engine  aircraft,  for  example,  any  and  all  applicable 
tasks  might  be  employed  to  reduce  the  likelihood  of  engine  failure 
to  the  lowest  level  possible.  In  most  instances,  however,  this  is  a stop- 
gap measure,  pending  redesign  of  the  vulnerable  part.  If  no  combina- 
tion of  tasks  can  be  found  that  will  effectively  avoid  critical  failures  in 
the  interim,  it  may  be  necessary  to  restrict  operation  of  the  equipment 
or  even  to  remove  it  from  service. 

To  return  to  the  top  of  the  decision  diagram,  suppose  the  failure  of 
an  item  has  no  safety  consequences  (a  no  answer  to  question  2),  but  it 
does  have  operational  consequences  (a  yes  answer  to  question  3).  In 
this  event  we  are  concerned  only  with  the  economic  consequences  of  a 
functional  failure: 

► Scheduled  maintenance  is  desirable  if  its  cost  is  less  than  the  com- 
bined costs  of  operational  consequences  and  repai,  for  those  fail- 
ures it  prevents. 

► A task  can  be  considered  effective  only  if  it  is  cost-effective. 

In  scheduled  airlines  operational  consequences  can  usually  be  measured 
in  terms  of  the  inability  to  deliver  service  to  passengers  in  a timely 
fashion.  In  other  operating  contexts  the  cost  of  lost  operational  capa- 
bility migh*  be  measured  differently.  However,  a cost  can  always  be 
imputed  to  any  operational  failure  in  terms  of  the  opportunity  cost  of 
being  unable  to  use  the  equipment  as  planned. 

To  determine  whether  a purposed  maintenance  task  is  economi- 
cally desirable,  it  is  necessary  to  know  the  imputed  cost  assigned  to  the 
expected  operational  consequences.  In  initial  programs  this  will  usually 
be  an  arbitrary  figure  based  on  the  benefits  anticipated  at  the  time  the 
equipment  was  purchased.  In  addition,  it  is  necessary  to  have  some 
idea  of  the  likelihood  of  failure,  the  cost  of  the  proposed  task,  and  the 
cost  of  corrective  maintenance  if  the  item  is  allowed  to  fail.  Generally,  if 
the  expected  failure  rate  is  low  and  the  operational  consequences  are 
not  excessive,  the  decision  will  be  to  use  no  scheduled  maintenance.  As 
the  total  cost  of  failure  increases,  preventive  maintenance  becomes  more 
attractive.  In  most  cases  it  is  possible  to  make  a decision  without  a 
formal  economic-tradeoff  study.  (Later  in  the  chapter  we  will  examine 


a procedure  for  determining  whether  an  economic-tradeoff  study  is 
likely  to  be  worthwhile.) 

Where  no  applicable  and  cost-effective  maintenance  task  can  be 
found,  we  must  either  accept  the  operational  consequences  (no  sched- 
uled maintenance)  or  redesign  the  item  to  reduce  the  frequency  of 
failures.  This  decision  ordinarily  depends  on  the  seriousness  of  the 
operational  consequences.  If  they  represent  a major  economic  loss,  the 
default  decision  is  redesign. 

If  the  failure  of  an  item  has  no  operational  consequences,  the  ques- 
tion of  task  effectiveness  is  evaluated  in  direct  economic  terms: 

► Scheduled  maintenance  is  desirable  if  its  cost  is  less  than  the  cost  of 
*~pair  for  those  failures  it  prevents. 

► A task  can  be  considered  effective  only  if  it  is  cost-effective. 

Task  effectiveness  in  this  '-ase  is  a simple  tradeoff  between  the  cost  of 
prevention  and  the  cost  of  cure.  If  both  costs  are  of  the  same  order  of 
magnitude,  the  decision  goes  to  no  scheduled  maintenance.  The  reason 
for  this  is  that  any  preventive-maintenance  task  may  disturb  fne  steady- 
state  conditions  of  the  mechanism,  and  this  risk  should  not  be  intro  - 
duced  without  good  cause.  Thus  a preventive  task  will  be  scheduled 
only  where  the  cost  of  correcting  failed  items  far  outweighs  the  cost  of 
preventing  failures. 

Note  that  many  of  the  items  designated  for  no  scheduled  main- 
tenance through  this  decision  process  might  well  have  been  identified 
at  the  outset  as  those  which  cannot  benefit  from  scheduled  maintenance. . 
This  branch  of  the  decision  diagram,  however,  permits  us  to  evaluate 
borderline  items  which  might  have  benefited  from  a scheduled  task  if 
an  applicable  one  could  be  found. 

In  the  case  of  hidden-function  items  task  effectiveness  involves 
two  criteria: 

► Scheduled  maintenance  is  required  to  avoid  exposure  to  a possible 
multiple  failure. 

► A task  can  be  considered  effective  only  if  it  ensures  adequate  avail- 
ability of  the  hidden  function. 

Some  hidden  functions  are  sufficiently  important  tiiat  their  availability 
is  protected  by  periodic  checks  by  the  operating  crew  — that  is,  they  are 
made  evident  by  defining  the  normal  duties  of  the  crew  to  cover  them. 
In  all  other  cases,  however,  scheduled  inspections  are  necessary.  Since 
hidden  failures  can  have  no  direct  effect  on  safety  or  operational  capa- 
bility, we  can  allow  such  items  to  fail,  but  we  cannot  afford  the  possible 
consequences  of  undetected  failures.  Thus,  in  the  absence  o*  any  directly 
preventive  task  that  is  applicable  and  effective,  a specific  failure-finding 
task  must  always  be  assigned. 


THE  ROLE  OF  THE  DEFAULT  STRATEGY 

The  information  to  be  channeled  into  RCM  decisions  requires  analysis 
under  two  different  sets  of  conditions.  One  is  the  development  of  an 
initial  maintenance  program  on  the  basis  of  limited  information.  The 
other  is  modification  of  these  initial  requirements  as  information 
becomes  available  from  operating  experience.  As  information  accumu- 
lates, it  becomes  increasingly  easier  to  make  robust  decisions.  In  devel- 
oping a prior-to-service  program,  however,  there  are  many  areas  in 
which  there  is  insufficient  information  for  a clearcut  yes-or-no  answer 
or  the  study  group  is  unable  to  reach  a consensus.  To  provide  for  deci- 
sion making  under  these  circumstances  it  is  necessary  to  have  a backup 
default  strategy  which  dictates  the  course  of  action  in  such  cases. 

The  default  strategy  summarized  in  Exhibit  4.5  shows  for  each  of 
the  decision  questions  which  answer  must  be  chosen  in  case  of  uncer- 
tainty. In  each  case  the  default  answer  is  based  on  protection  of  the 
equipment  against  serious  consequences.  For  example,  in  the  process 
of  identifying  significant  items,  if  it  can  be  demonstrated  that  the  failure 
of  an  item  has  no  effect  on  safe  or  operating  capability,  the  item  can 
be  classified  as  nonsignificant  t does  not  warrant  further  study  to 
see  if  it  can  benefit  from  schedule-,  maintenance.  If  there  is  any  doubt, 
however,  it  must  be  classified  as  significant  and  cannot  be  dismissed 
without  further  analysis.  Similarly,  if  it  is  not  certain  that  a loss  of  func- 
tion will  be  evident  to  the  operating  crew,  it  is  treated  as  hidden  unless 
a failure  mode  involves  critical  secondary  damage. 

This  default  approach  can  conceivably  lead  to  more  preventive 
maintenance  than  is  necessary.  Some  tasks  will  be  included  as  protec- 
tion against  hazards  that  do  not  exist,  and  others  may  be  scheduled  far 
too  frequently.  The  means  of  eliminating  such  excessive  costs  is  pro- 
vided by  the  age-exploration  studies  which  begin  as  soon  as  the  equip- 
ment goes  into  se  vice.  Through  this  process  the  information  needed  to 
refine  the  initial  program  (and  make  major  revisions  where  necessary) 
is  gathered  systematically  for  evaluation.  We  will  examine  the  tech- 
niques of  age  exploration  and  the  nature  of  the  information  it  provides 
in  the  next  chapter. 

Since  an  analysis  of  age-reliability  characteristics  requires  failure 
data  that  will  not  become  available  until  some  time  after  the  equipment 
has  been  in  service,  the  default  strategy  will  result  in  a no  answer  to 
nearly  all  questions  concerning  the  applicability  and  effectiveness  of 
scheduled  rework  and  discard  tasks.  Consequently,  my  initial  RCM 
program  will  consist  essentially  of  on-condition  tasks,  a few  safe-life 
discard  tasks,  and  failure-finding  tasks  for  hidden-function  items,  in 
addition  to  the  usual  servicing  and  lubrication  tasks.  Scheduled  rework 
or  economic-life  discard  tasks  may  be  added  at  some  later  stage,  after 
their  applicability  and  effectiveness  can  be  evaluated,  but  they  rarely 
appear  in  an  initial  program. 
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decision  question 


default  answer  to  be  used 
in  case  of  uncertainty 


IDENTIFICATION  OF  SIGNIFICANT  ITEMS 
Is  the  item  dearly  nonsignificant? 

EVALUATION  OF  FAILURE  CONSEQUENCES 
Is  the  occurrence  of  a failure  evi- 
dent to  the  operating  crew  during 
performance  of  normal  duties? 

Does  the  failure  cause  a loss  of 
function  or  secondary  damage  that 
could  have  a direct  adverse  effect 
on  operating  safety? 

Does  the  failure  have  a direct 
adverse  effect  on  operational 
capability? 

EVALUATION  OF  PROPOSED  TASKS 
Is  an  on-conJition  task  to  detect 
potential  failures  applicable? 

If  an  on-condition  task  is 
applicable,  is  it  effective? 

Is  a rework  task  to  reduce  the 
failure  'ate  applicable? 

If  a rework  task  is  applicable,  is 
it  effective? 


Is  a discard  task  to  avoid  failures 
or  reduce  the  failure  rate 
applicable? 

If  a discard  task  is  applicable,  is  it 
effective? 


No:  classify  Item  as  significant. 


No  v except  for  critical  secondary 
damage):  classify  function  as 
hidden. 

Yes:  classify  consequences  as 
critic?.!. 


Yes:  classify  consequences  as 
operational. 


Yes:  include  on-condition  task  in 
program. 

Yes:  assign  inspection  intervals 
short  enough  to  make  task 
effective. 

No  (unless  there  are  real  and 
applicable  data):  assign  item  to 
no  scheduled  maintenance. 

No  ^unless  there  are  real  and 
applicable  data):  assign  item  to 
no  scheduled  maintenance. 

No  (except  for  safe-life  items): 
assign  item  to  no  scheduled 
maintenance. 

No  (except  for  safe-life  items): 
assign  item  to  no  scheduled 
maintenance. 


stage  at  which  question  can  be  answered 

initial  program  ongoing  program 

w ith  default)  (operating  data) 


possible  adverse  consequence, 
of  default  derision 


default  consequences 
eliminated  ivilh  ; asequent 
operating  information 


^ ' 

X 

Unnecessary  analysis 

No 

X 

X 

Unnecessary  inspections  that  arc 
not  c /St-etfective 

>es 

X 

X 

Unnecessary  redesign  or  scheduled 
maintenance  that  is  not  cost- 
effective 

No  tor  redesign; 
yes  for  s-heduled 
maintenance 

X 

X 

Scheduled  maintenance  that  ij  not 
cost-effective 

Yes 

X 

X 

Scheduled  maintenance  that  is  not 
cost-eftective 

Yes 

X 

X 

Scheduled  maintenance  tha*  is  not 
COsi-effeciive 

Yes 

— 

X 

Delay  in  exploiting  opportunity 
to  i educe  costs 

Yes 

— 

X 

Unnecessary  redesign  (safety)  c< 
delay  in  exploiting  opportunity 
to  reduce  costs 

No  tor  redesign; 
yes  for  scheduled 
maintenance 

X 

(safe  life  only) 

X 

(economic  life) 

Delay  in  exploiting  opportunity 
to  reduce  costs 

Yes 

X 

(safe  life  only) 

(econo  iic  life) 

Delay  in  exploiting  opportunity 
to  reduce  costs 

Yes 

4*4  DETERMINING  COST  EFFECTIVENESS 


criteria  for  cost  effectiveness 
finding  a cost-effective  interval 
the  impact  of  inherent 
reliability  characteristics 
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Since  a moderate  amount  of  information  gathering  is  necessary  for  cal- 
culations of  cost  effectiveness,  it  is  helpful  to  know  whether  the  effort  is 
likely  to  be  fruitful.  The  decision-diagram  approach  is  also  useful  in  this 
area.  Exhibit  4.6  illustrates  one  method  for  deciding  whether  a detailed 
assessment  of  an  applicable  task  might  be  worthwhile. 

Up  to  this  point  we  have  not  been  concerned  about  failure  rate, 
since  it  is  not  a primary  measure  of  consequences.  In  the  case  of  critical 
failures  it  has  no  boaring;  in  fact,  the  sole  objective  is  to  avoid  any  fail- 
ures on  which  to  base  a rate.  Where  the  consequences  are  economic, 
however,  the  total  cost  depends  on  the  frequency  with  which  these 
consequences  are  likely  to  occur.  The  first  question  in  evaluating  the 
cost  effectiveness  of  prevention,  therefore,  concerns  the  frequency  of 
functional  failures: 


Is  the  functional-failure  rale  high? 


Since  it  is  seldom  worthwhile  to  deal  with  rare  types  of  noncritical  fail- 
ures, this  question  rules  out  items  that  fail  so  seldom  that  the  cost  of 
scheduled  maintenance  would  probably  be  greater  lhan  the  benefits 
to  be  derived  from  ih  The  term  high,  of  course,  is  open  to  interpretation. 
In  airline  practice  a failure  rate  greater  than  1 per  1,000  hours  of  flight 
time  is  usually  considered  high,  whereas  a rate  of  less  than  0.1  per  1,000 
hours  is  usually  not  considered  important.  This  question  is  often  easier 
to  answer  if  the  failure  rate  is  described  in  terms  of  the  number  of  fail- 
ures per  month 

If  the  failure  rate  is  judged  to  be  high,  *he  next  concern  is  the  cost 
involved.  Operational  consequences  are  usually  the  major  cost  associ- 
ated with  a high  failure  rote: 


Dues  the  failure  involve  operational  consequences? 


Any  failure  that  prevents  continued  dispatch  of  the  equipment  involves 
operational  consequences.  However,  the  extent  of  the  economic  loss 
depends  largely  on  the  intended  use  of  the  equipment.  In  a military  con- 
text, for  example,  a much  higher  cost  might  be  imputed  to  dispatch  of 
an  airplane  with  restrictions  on  its  operating  performance  than  would 
be  the  case  in  a commercial-airline  context.  If  the  failure  does  have 
operational  consequences,  the  total  cost  of  failure  includes  the  combined 
cost  of  these  consequences  and  the  cost  of  repair. 


Even  when  operational  consequences  are  not  involved,  it  may  be 
advantageous  to  forestall  a particularly  expensive  failure  mode: 


Does  any  failure  mode  cause  unusually  high  repair  or  operating  costs? 


This  question  must  be  investigated  separately,  since  such  failure  modes 
will  usually  be  responsible  for  only  a small  fraction  of  the  total  number 
of  failures, 


IXHIBtT  4 "6  Derision  diagram  (or  evaluating  the  probable  cost 
effectiveness  of  a proposed  task  when  scheduled  maintenance  Is  not 
required  to  protect  operating  safety  oi  the  availability  of  hidden 
functions.  The  purpose  of  the  decision  technique  is  to  reduce  the 
number  of  formal  economic-tradeoff  studies  that  mus'  be 
performed. 


Tksk  is  cost-  Task  is  not 

effective  r cost-effective 
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A yes  answer  to  either  of  the  preceding  two  questions  means  that 
we  need  further  information: 


Do  real  and  applicable  data  show  the  desirability  of  the  proposed  task? 


It  is  possible  to  arrive  at  a yes  answer  to  this  question  if  there  is  sub- 
stantial evidence  that  this  task  was  cost-effective  in  the  past  for  this  or 
a similar  item.  If  so,  the  task  can  be  scheduled  without  a formal  study. 

EXHIBIT  4 '7  A pro  forma  for  analyzing  the  support  costs  associated 
with  scheduled  removals  for  rework.  At  least  four  proposed  rework 
intervals  must  be  examined  to  determine  whether  a cost-effective 
interval  does  exist. 


item 

annual  volume  of  operation 
proposed  interval 


Number  of  failure*  per  year1 

Average  base  coal  of  repairing  a failed  unit* 

Annual  base  coal  of  repairing  failed  units 
Number  of  failures  that  have  operational  consequences* 
Average  cost  of  operational  consequences  after  failure 
Annual  cost  of  operational  consequences 
Number  of  scheduled  removals  per  year 
Average  base  cost  for  a time-expired  unit* 

Annual  base  cost  for  time-expired  units 
Number  of  spare  units  required  to  support  workload 
Cost  of  unit 

Annual  cost  of  spare  units  required 
Total  annual  support  costs4 


X 


sx 

sx 

X 

IX 

$x 

X 

IX 

$x 

X 

IX 

$x 

»x 

1 It  may  be  desirable  to  study  a specific  expensive  failure  mode  separately. 

2 Includes  cost  of  removing  and  installing  unit  at  line  station  and  of 
transporting  It  to  and  from  the  maintenance  base 

3 The  number  of  failures  that  have  operational  consequences  may  be  different 
from  the  total  number  of  failures,  since  not  every  failure  will  have  such 
consequences. 

4 If  the  change  in  volume  of  work  at  the  maintenance  base  results  in  changes 
in  facility  requirements,  the  annual  cost  of  such  changes  should  be  included 
in  the  support  costs. 
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Otherwise  the  question  of  economic  tradeoff  must  be  evaluated  for 
each  of  the  applicable  maintenance  tasks: 


Does  an  economic-tradeoff  study  justify  the  task? 


An  economic-tradeoff  study  involves  several  steps: 

► An  estimate  of  the  incremental  effect  of  the  task  on  the  failure  rate 
of  the  item  for  several  different  task  intervals 

► A translation  of  the  reduced  failure  rate  into  cost  reductions 

► An  estimate  of  the  cost  of  performing  the  proposed  task  for  each 
of  the  intervals  considered 

► Determination  of  the  interval,  if  one  exists,  at  which  the  cost- 
benefit  ratio  is  the  most  favorable 

Exhibit  4.7  shows  a pro  forma  for  evaluating  the  cost  effectiveness  of  a 
scheduled  rework  task.  As  we  saw  in  Chapter  3,  the  cost  factors  for  on- 
condition  tasks  and  scheduled  rework  tasks  are  quite  different.  Sched- 
uled removals  increase  both  the  total  shop  volume  and  the  number  of 
spare  units  required  to  replace  the  units  that  are  undergoing  rework. 
Consequently,  unless  the  frequency  of  a very  expensive  failure  is  ma- 
terially reduced  by  an  age  limit,  the  total  cost  of  this  task  will  usually 
outweigh  its  economic  benefits. 

In  contrast,  the  total  number  of  potential  failures  removed  as  a 
result  of  on-condition  inspections  is  not  appreciably  greater  than  it 
would  be  if  each  unit  were  allowed  to  fail.  Moreover,  the  cost  of  repair- 
ing potential  failures  is  usually  less  than  the  cost  of  repair  after  a func- 
tional failure.  As  a result,  on-condition  inspection  tasks,  when  they  are 
applicable,  are  relatively  easy  to  justify. 

The  important  role  of  cost  effectiveness  in  RCM  decision  making 
helps  to  clarify  the  nature  of  inherent  reliability  characteristics.  The 
inherent  reliability  of  an  item  is  not  the  length  of  time  it  will  survive 
with  no  failures;  rather,  it  is  the  level  of  reliability  the  item  will  exhibit 
when  it  is  protected  by  preventive  maintenance  and  adequate  servicing 
and  lubrication.  The  degree  of  reliability  that  can  be  achieved,  however, 
depends  on  certain  characteristics  that  are  a direct  resub  of  the  design 
details  of  the  equipment  and  the  manufacturing  processes  that  pro- 
duced it.  These  characteristics  determine  both  the  need  for  preventive 
maintenance  and  the  effectiveness  with  which  h can  be  provided.  Thus 
from  a maintenance  standpoint  inherent  reliability  characteristics  are 
decision  factors  such  as  those  listed  in  Exhibit  4 8.  Note  that  the  answer 
to  each  of  the  questions  in  Exhibit  4.4  requires  a I rmwledge  of  at  least 
one  of  these  characteristics. 


feadWtlfrlA 


inherent  reliability  characteristic 


impact  on  decision  making 


Failure  conssqusnces 


Visibility  o f functional  failure  to 
operating  crew 


Ability  to  measure  reduced 
resistance  to  failure 

Rate  at  which  failure  resistance 
decreases  with  operating  age 

Age-reliability  relationship 


Cost  of  corrective  maintenance 


Cost  of  preventive  maintenance 


Need  for  safe-life  limits  to 
prevent  critical  failures 

Need  for  servicing  and 
lubrication 


|\«loaealeee  --•*  lAMraa 

iwiiiupn  flagninouK*  0& 
for  scheduled  nuInlsniTs 
estsMishss  definition  of  task 
effectiveness;  dstermiats  default 
strategy  when  no  eppUcable  end 
effective  task  can  be  found 

Determines  need  for  fatlure- 
finding fM*t  to  ensure  that 
failure  is  detected 

Determines  applicability  of 
on -condition  tasks 

Determines  interval  for 
on-condition  teaks 

Determines  applicability  of 
rework  end  discard  tasks 

Helps  establish  task  effective- 
ness, except  for  critical  failuns 

Helps  establish  task  effective- 
ness, except  for  critical  failures 

Determines  applicability  and 
interval  of  safe-life  discard 
my« 

Determines  applicability  and 
interval  of  servicing  and 
lubrication  tasks 


EXHIBIT  4'B  Examples  of  inherent  reliability  characteristics  and  their 
impact  on  decision  making.  Each  decision  question  in  Exhibit  4.4 
requires  a knowledge  of  at  least  one  of  these  characteristics.  In  the 
absence  of  this  knowledge,  a default  answer  must  be  employed  in 
developing  an  initial  scheduled-maintenanc>-  program. 


The  test  of  cost  effectiveness  means  that  an  RCM  program  will  nor 
include  some  tasks  that  might  reduce  the  likelihood  of  noncritical  fail- 
ures. However,  when  a failure  has  economic  consequences  the  inclusion 
of  a task  that  is  not  cost-effective  would  merely  transfer  these  conse- 
quences from  one  cost  category  to  another;  it  would  not  reduce  them. 
Thus  the  cost  factors  on  both  sides  must  be  considered  inherent  reli- 
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' 


feasible  for  an  existing  design.  Within  this  framework,  RCM  analysis 
ensures  all  the  operat  ng  reliability  of  which  the  equipment  is  capable. 
Moreover,  it  results  in  a selection  of  only  those  tasks  which  will  accom- 
plish this  objective;  hence  it  also  provides  the  required  maintenance 
protection  at  minimum  cost. 

Certain  of  the  inherent  reliability  characteristics  of  new  equipment 
are  unknown  at  the  time  a prior-to-service  maintenance  program  is 
developed.  Consequently  the  initial  program  is  somewhat  more  expen- 
sive than  later  refinements  of  it  will  be  (although  it  is  still  a minimum- 
cost  program  in  terms  of  the  information  available  at  the  time).  This 
situation  is  inevitable  because  of  the  default  decisions  necessary  to 
protect  the  equipment  in  the  absence  of  full  information.  It  is  not  too 
serious  a matter,  however,  because  of  the  relatively  slow  rate  at  which 
fleets  of  new  equipment  grow.  For  example,  the  Boeing  727  fleet  shown 
in  Exhibit  4.9  took  six  years  to  reach  its  maximum  size  of  150  aircraft. 
Although  the  full  fleet  finally  flew  more  than  400,000  total  hours  a year, 
the  20  planes  in  service  by  the  end  of  the  first  year  had  flown  a total  of 
only  34,300  hours.  Thus  the  maintenance  costs  stemming  from  these 
initial  default  decisions  have  little  overall  economic  impact  and  will  be 
materially  reduced  with  the  information  available  by  the  time  the  fleet 
reaches  full  size. 


EXHIBIT  4 -9  Examples  of  fleet  growth  in  a commercial  airline.  Each 
purchasing  airline  has  a maximum  rate  at  which  it  can  accept  new 
airplanes,  determined  by  training  and  staffing  rt  quirements.  The  rate 
at  which  new  equipment  can  enter  service  is  highest  tor  large  airlines. 
(United  Airlines) 
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4 • 5 AGE  EXPLORATION 


determination  of  One  of  the  most  important  aspects  of  an  initial  RCM  program  is  age 
^potential-failure  age  exploration  to  determine  the  applicability  of  certain  tasks  and  the  most 
opportunity  samp  mg  effec^ive  intervals  for  others.  In  the  case  of  aircraft  this  process  starts 
with  the  manufacturer's  certification  test  flights,  during  which  some  of 
the  most  frequent  types  of  failures  will  be  identified.  If  some  of  these 
failures  have  major  consequences,  product  improvement  will  be  initi- 
ated before  any  equipment  is  delivered  to  the  purchaser.  The  informa- 
tion obtained  during  the  certification  period,  however,  identifies  aly 
those  items  that  have  failed  — presumably  those  with  a high  probability 
of  failure.  The  entire  certification  program  for  a new  commercial  trans- 
port plane  requires  a total  of  only  1,500  to  2,000  flight  hours  accumu- 
lated on  the  five  or  six  planes  assigned  to  the  program.  The  flying  time 
for  any  one  test  plane  is  usually  no  more  than  400  or  500  hours. T con- 
trast, once  a plane  is  put  into  service,  it  may  fly  300  or  more  ho  rs  a 
month.  At  this  point  we  can  begin  to  acquire  information  on  the  addi- 
tional reliability  characteristics  of  the  equipment. 

As  we  saw  in  Section  3.1,  the  applicability  of  an  on-condition  task 
depends  on  the  ability  to  measure  reduced  failure  resistance.  Its  effec- 
tiveness, however,  depends  on  the  interval  between  inspections.  The 
same  holds  true  for  failure-finding  tasks  assigned  to  hidden-function 
items.  For  this  reason  all  such  tasks  are  assigned  conservatively  short 
intervals  in  an  initial  program,  and  all  items  whose  failure  could  have 
safety  or  major  economic  consequences  are  carefully  monitored  by  fre- 
quent sample  inspections  to  determine  the  exact  effect  of  operating  age 
on  their  condition.  The  simple  metal  part  illustrated  in  Exhibit  3.1,  for 
example,  would  initially  be  monitored  at  the  intervals  shown  in  Ex- 
hibit 4.10  to  determine  the  exact  point  to  be  defined  as  a potential  fail- 
ure, the  age  at  which  inspections  should  start,  and  the  most  effective 
interval  between  inspections. 

Because  on-condition  inspections  play  a large  role  in  fhe  mainte- 
nance programs  for  turbine  engines,  some  interesting  practices  have 
evolved  to  reduce  the  cost  of  obtaining  this  information.  When  an 
initial  program  is  being  developed,  expeiience  with  earlier  types  of 
engines  will  suggest  many  parts  that  might  benefit  frqm  on-condition 
tasks,  as  well  as  some  that  might  benefit  from  scheduled  rework.  Con- 
sequently the  sample  inspections  required  for  age  exploration  make  up 
a large  part  of  the  initial  maintenance  program  for  any  powerplant. 

Some  of  these  inspections  can  be  performed  while  the  engine  is 
installed,  but  others  can  be  performed  only  at  a major  maintenance  bast 
after  a certain  amount  of  disassembly  of  the  engine.  The  "on-the-wing" 
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Sample-inspection  intervals 

EXHIBI7  4*10  Initial  sampling  intervals  assigned  in  an  age- 
exploration  program  to  determine  the  rate  at  which  failure  resistance 
declines.  Reduced  resistance  is  not  detectable  until  .1  visible  crack 
appears;  thereafter  the  rate  of  crack  propagation  is  monitored  io 
determine  the  exact  point  to  be  defined  as  a potential  failure,  the 
point  at  which  it  is  necessary  to  begin  on-condition  inspections,  and 
the  most  effective  inspection  interval  to  ensure  that  all  failing  units 
will  be  identified  at  the  potential-failure  stage. 


inspections  are  handled  by  an  initial  requirement  for  early  inspection 
of  tho  item  on  all  engines.  However,  if  inspection  of  the  first  few  engines 
to  reach  this  limit  discloses  no  unsatisfactory  conditions,  the  limit  for 
the  remaining  engines  is  extended.  Thus  very  few  engines  are  actually 
inspected  at  any  fixed  time  limit  until  the  point  at  which  it  becomes 
desirable  to  stop  extending  the  limit. 

For  those  parts  that  require  engine  disassembly  for  inspection, 
the  practice  is  to  define  an  age  limit  at  which  inspection  informa- 
tion is  considered  to  be  of  value.  The  initial  operating  age  of  a part 
might  be  limited,  for  example,  to  1,500  hours  without  inspection,  and 
the  threshold  age  for  valid  samplirg  information  might  be  set  at  500 
hours.  This  was  done  for  the  General  Electr  ~ CF6-6  engine  in  the  Doug- 
las DC-10.  In  that  case  the  FAA  required  , oection  of  two  sets  of  parts 
(equivalent  to  two  engines)  to  justify  an  inci,  se  in  the  1,500-hour  limit. 

The  initial  maintenance  program  stated  that  sampling  information  could 
be  obtained  either  from  one  part  aged  500  to  1,000  hours  and  a second 

part  aged  1,000  to  1,500  hours,  or  else  from  two  parts  that  were  both  SECTION  4*5  107 
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aged  1,000  to  1,500  hours.  The  two  sets  of  part-inspection  reports  could 
be  based  on  the  inspection  of  parts  in  any  number  of  engines. 

The  reason  for  this  flexibility  in  scheduling  is  to  take  advantage  of 
opportunity  samples , samples  taken  from  engines  that  have  failed  and 
have  been  sent  back  to  the  main  base  for  repair.  Any  undamaged  parts 
from  these  engines  can  be  used  to  meet  the  sampling  requirements. 
This  procedure  makes  it  unnecessary  to  schedule  engine  removals  for 
disassembly  solely  for  the  purpose  of  inspecting  parts.  Such  forced 
removals  are  necessary  only  when  the  required  volume  of  sampling 
cannot  be  obtained  from  opportunity  samples.  Because  new  types  of 
engines  usually  have  high  failure  rates  that  create  abundant  oppor- 
tunity samples,  it  is  possible  to  make  a careful  evaluation  of  the  condi- 
tion of  each  part  before  any  engines  on  the  aircraft  actually  age  to  the 
initial  maximum  limit. 

On-condition  inspections  also  play  the  primary  role  in  the  mainte- 
nance programs  for  structures.  However,  unlike  powerplants,  structure 
does  not  provide  opportunity  samples.  The  structure  is  designed  as  an 
integral  unit,  and  corrective  maintenance  on  any  structural  item  removes 
the  entire  airplane  from  service.  Moreover,  because  the  failure  of  any 
major  structural  assembly  is  critical,  all  parts  of  the  structure  are 
designed  to  survive  to  very  high  ages.  In  the  case  of  structure,  therefore, 
the  inspection  program  itself  is  the  only  vehicle  for  age  exploration,  and 
the  inspection  samples  consist  of  individual  airplanes,  rather  than 
samples  of  parts  from  different  airplanes.  The  initial  inspection  interval 
for  each  structurally  significant  item  is  set  at  only  a fraction  of  the  age 
at  which  evidence  of  deterioration  is  expected  to  appear,  not  only  to 
find  and  correct  any  conditions  that  may  reduce  the  anticipated  design 
life,  but  also  to  identify  the  age  at  which  reduced  failure  resistance  first 
becomes  evident. 

Whereas  powerplant  items  are  continually  interchanged  and  re- 
placed as  part  of  the  normal  repair  cycle,  structural  members  are  repaired, 
but  are  rarely  replaced  with  new  parts.  Consequently  the  age  of  most 
parts  of  a given  structure  is  the  same  as  the  total  age  of  the  airplane.  This 
makes  it  possible  to  concentrate  age-exploration  activities  on  the  highest 
total-time  airplanes.  The  first  few  airplanes  to  reach  the  initial  limit 
established  for  major  structural  inspections  are  designated  as  inspection 
samples.  All  inspection  findings  for  these  airplanes  are  carefully  docu- 
mented, so  that  any  changes  in  their  condition  with  age  can  be  identified 
before  younger  airplanes  reach  this  age.  If  there  are  no  signs  of  deterio- 
ration, the  starting  intervals  in  the  initial  program  will  usually  be 
increased  for  the  remaining  airplanes  in  the  fleet. 

Age  exploration  of  systems  items  is  conducted  on  still  another  basis. 
Systems  items  are  generally  characterized  by  low  reliability;  hence  they 
provide  abundant  opportunity  samples.  However,  because  systems  fail- 
108  THEORY  AND  PRINCIPLES  ures  are  rarely  critical  and  so  many  systems  items  cannot  benefit  from 
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scheduled  maintenance,  extensive  inspection  of  opportunity  samples  is 
usually  not  justified  by  the  value  of  the  information  obtained.  In  this 
case  the  frequency  of  failures  is  likely  to  have  greater  economic  impact 
than  the  consequences  of  individual  failures.  Thus  for  systems  items 
age  exploration  is  based  primarily  on  the  monitoring  and  analysis  of 
failure  data  to  determine  the  cost  effectiveness  of  proposed  tasks. 

In  the  following  chapter  we  will  examine  the  many  other  aspects  of 
the  age-exploration  process. 


4*6  PACKAGING  THE  MAINTENANCE  TASKS 

Once  each  maintenance  task  in  the  prior-tc-scrvice  program  has  been  maintenance  packages 
assigned  an  appropriate  initial  interval,  either  for  the  purpose  of  age  ^,"^u,jon  of  maintenance 
exploration  or  on  the  basis  of  conservative  judgment,  the  RCM  tasks 
are  combined  with  other  scheduled  tasks  — the  servicing  and  lubrica- 
tion tasks  specified  by  the  manufacturer  and  the  scheduled  zonal- 
installation  inspections.  All  the  tasks  with  similar  intervals  are  then 
grouped  into  a number  of  maintenance  packages,  each  with  its  own  inter- 
val. The  principle  is  the  same  as  that  spelled  out  in  new-car  warranties, 
which  specify  a certain  group  of  servicing  and  inspection  tasks  to  be 
performed  every  1,000  miles,  another  to  be  performed  every  5,000  miles, 
and  so  on.  For  commercial  aircraft  these  intervals  range  from  between- 
flight  checks  at  every  station  to  major  inspections  at  eight-  to  ten-year 
intervals  at  a maintenance  base. 

This  grouping  results  in  slightly  more  frequent  performance  of 
some  tasks  than  is  strictly  necessary,  but  the  additional  cost  is  justified 
by  the  increase  in  maintenance  efficiency.  Those  tasks  that  are  most 
expensive,  both  in  actual  cost  and  in  terms  of  down  time  for  out-of- 
service equipment,  tend  to  shape  the  overall  package.  Thus  if  one  task 
must  be  performed  every  1,000  miles  and  another  can  be  done  easily 
at  the  same  time,  they  will  both  be  scheduled  for  that  interval.  If  the 
second  task  is  required,  say,  every  2,500  miles,  it  will  be  scheduled 
every  other  time  the  first  task  is  done,  and  so  on. 

Airlines  frequently  give  each  of  the  major  scheduled-maintenance 
packages  an  alphabetic  designation;  hence  they  are  commonly  known 
as  letter  checks.  An  A check  might  be  performed  every  125  hours  of 
flight  time,  a B check  every  900  hours,  and  so  on.  Exhibit  4.11  shows  the 
sc  uence  of  letter  checks  as  they  would  occur  for  an  airplane  over  an 
operating  period  of  3,600  hours.  The  content  of  a given  letter  check  will 

necessarily  be  the  same  every  time  it  is  performed,  since  some  tasks 
Will  come  up  only  at  every  second  or  third  occurrence  of  that  check. 

However,  the  fact  that  the  more  extensive  packages  occur  at  longer 
intervals  means  that  as  the  level  of  work  increases,  fewer  stations  need 
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1,190 
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2350 

#2*  A Check 
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#11 A Check 
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#12  A Check 
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#20  A Check 
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3325 
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#14  A Check 
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#30  A Check 
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#15  A Check 
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#31  A Check 

1300 

#2  B Check* 

3300 

#1C  Check* 

Include*  M A check. 

S Include*  #24  A check. 

Include*  #16  A check. 

4 Include*  #4  B check  and  #32  A check. 

EXHIBIT  4 • 1 1 A sample  schedule  of  maintenance  packages.  Each 
work  package  includes  all  the  scheduled  tasks  to  he  performed  at  that 
interval.  The  A check  includes  all  tasks  scheduled  at  125-hour 
intervals;  the  B check  consists  of  all  tasks  scheduled  at  900-hour 
intervals,  as  well  as  the  A check  that  would  otherwise  be  performed  at 
that  interval;  and  the  C check,  scheduled  for  3,600-hour  intervals, 
includes  all  the  tasks  scheduled  for  that  interval,  along  with  both  the 
A and  B checks  that  would  ordinarily  take  place  at  that  time.  The  A 
checks  are  performed  at  any  of  several  line-maintenance  stations. 

PI,"  nes  are  routed  to  a few  large  maintenance  stations  for  B checks, 
and  C checks  are  performed  at  the  maintenance  base. 


for  every  stop  at  a line  maintenance  station,  and  a #2  service  check 
might  be  scheduled  for  every  stopover  of  more  than  five  hours  (unless 
a higher-level  package  is  being  performed),  and  so  on. 

In  addition  to  the  letter  checks,  which  package  the  expensive  or 
time-consuming  tasks,  there  are  a number  of  smaller  service  packages. 
For  example,  a #1  service  check  might  include  those  tasks  scheduled 
The  entire  scheduled-maintenance  program,  packaged  for  actual 
110  THEORY  AND  PRINCIPLES  implementation,  must  be  completed  and  approved  before  any  new  air- 


craft  can  enter  service.  Up  to  this  point  RCM  analysis  has  provided  us 
with  a set  of  tasks  based  on  those  reliability  characteristics  that  can  be 
determined  from  a knowledge  of  the  equipment  and  the  operating  con- 
text. Once  the  equipment  enters  service  a whole  new  set  of  information 
will  come  to  light,  and  from  this  point  on  the  maintenance  program  will 
evolve  on  the  basis  of  data  from  actual  operating  experience.  This 
process  will  continue  throughout  the  service  life  of  the  equipment,  so 
that  at  every  stage  maintenance  decisions  are  based,  not  on  an  estimate 
of  what  the  reliability  is  likely  to  be,  but  on  the  specific  reliability  char- 
acteristics that  can  be  determined  at  that  time. 


CHAPTER  FIVE 


evolution  of  the  ran  program 


IN  THE  preceding  chapters  we  have  examined  the  framework  of  RCM 
analysis  and  the  decision  process  that  leads  to  the  selection  of  tasks  for 
an  initial  maintenance  program.  After  the  equipment  enters  service 
information  becomes  available  about  its  actual  interaction  with  the 
operating  environment.  This  information  almost  certainly  contains 
some  surprises  — unanticipated  types  of  failures,  unexpected  failure 
consequences,  unusually  high  failure  rates,  or  even  an  absence  of  antici- 
pated failures.  Because  the  volume  of  operation  is  small  at  first,  infor- 
mation is  gained  at  that  time  about  the  failures  that  are  likely  to  occur 
soonest  and  with  the  greatest  frequency.  As  operating  time  accumu- 
lates, the  less  frequent  types  of  failures  are  discovered,  as  well  as  those 
that  tend  to  occur  at  higher  operating  ages.  All  this  information  is  used 
for  continuing  evolution  of  the  ongoing  maintenance  program. 

Any  complex  equipment  is  a failure  generator,  and  failure  events 
will  occur  ' roughout  its  whole  operating  life.  The  response  to  these 
events  depends  on  the  failure  consequences.  If  an  unanticipated  failure 
has  serious  implications  for  safety,  the  first  occurrence  sets  in  motion 
an  immediate  cycle  of  maintenance  and  design  changes.  In  other  cases 
waiting  until  several  failures  have  occurred  allows  a better  assessment 
of  their  frequency  to  determine  the  economic  benefits  of  preventive 
tasks,  or  possibly  redesign.  Very  often  waiting  until  enough  failures 
have  occurred  to  permit  an  evaluation  of  age-reliability  relationships 
provides  the  information  necessary  to  modify  the  initial  maintenance 
decisions. 

Evolution  of  the  scheduled-maintenance  program  does  not  consist 
solely  of  reactions  to  unanticipated  failures.  The  information  that  be- 
comes available  — including  the  absence  of  failures  — is  also  used  for 
systematic  evaluation  of  all  tasks  in  the  initial  program.  On  the  basis  of 
112  theory  AND  PRINCIPLES  actual  data,  the  initial  conservative  intervals  for  on-condition  irispec- 
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tions  can  be  adjusted  and  the  applicability  of  scheduled  rework  and 
economic-life  tasks  can  be  investigated.  Actual  operations  will  fre- 
quently confirm  the  a priori  assessments  of  failure  consequences,  but 
occasionally  the  consequences  will  be  found  to  be  more  serious  or  less 
serious  than  anticipated,  cr  a failure  thought  to  be  evident  to  the  oper- 
ating crew  is  not,  and  vice  versa.  The  process  by  which  all  this  informa- 
tion is  obtained  is  called  age  exploration,  both  because  the  amount  of 
information  is  a direct  function  of  the  age  of  the  equipment  in  service 
and  because  some  of  this  information  relates  to  the  ages  of  the  items 
themselves. 


5 • 1 THE  USES  OF  OPERATING  DATA 

It  is  important  to  recognize,  both  in  planning  a prior-to-service  pro-  the  role  of  age  exploration 
gram  and  at  the  age-exploration  stage,  that  a fleet  of  equipment  does  evolution  of  the  initial  program 
not  materialize  overnight.  In  commercial  aviation  new  planes  are 
delivered  to  an  airline  at  a rate  of  one  to  four  a month,  and  as  we  saw 
in  Exhibit  4.9,  the  number  of  aircraft  in  service  and  the  associated 
volume  of  operations  builds  up  slowly.  This  allow:,  us  to  concentrate 
first  on  the  most  frequent  failures  (since  those  that  occur  early  will 
continue  to  occur  early  after  either  delivery  or  repair)  or  on  those 
failures  with  the  most  serious  consequences.  As  the  volume  of  oper- 
ations increases,  he  less  frequent  failures  come  to  light  and  can  be 
dealt  with  later.  In  a military  environment,  where  operating  experience 
does  not  accumulate  as  rapidly,  this  latter  information  may  be  obtained 
by  deliberate  heavy  use  of  the  first  few  pieces  of  equipment  — the  fleet- 
leader  concept— although  the  small  size  of  the  sample  data  presents  a 
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The  reliability  information  obtained  from  actual  operating  experi- 
ence is  quite  varied.  Although  the  failure  rate  plays  a role  early  in  oper- 
ation in  pinpointing  design  problems  and  evaluating  task  effectiveness, 
an  age-exploration  program  is  organized  to  provide  the  following  kinds 
of  information: 

► The  types  of  failures  the  equipment  is  actually  exposed  to,  as  well 
as  their  frequencies 

► The  consequences  of  each  failure,  ranging  from  direct  safety  haz- 
ards through  serious  operational  consequences,  high  repair  costs, 
long  out-of-service  times  for  repair,  to  a deferred  need  to  correct 
inexpensive  functional  failures 

► Confirmation  that  functional  failures  classified  as  evident  to  the 
operating  crew  are  fn  fact  evident  during  normal  performance  of 
duties 

► Identification  of  the  circumstances  of  failure  to  determine  whether 
the  failure  occurred  during  normal  operation  or  was  due  to  some 
external  factor,  such  as  bird  strike 


EXHIBIT  5*1  Summary  of  the  uses  of  new  information  in  the 
continuing  evolution  of  the  scheduled-maintenance  program.  After 
the  equipment  enters  service  age  exploration  and  the  evaluation  of 
actual  operating  data  continue  throughout  Its  entire  service  life. 


refinement*  of  initial  maintenance  program 

result*  of  age  exploration 


inspection  tasks 


Confirm  that  reduction  in  failure 
resistance  is  visible. 

Determine  rate  of  reduction  in  failure 
resistance. 

Confirm  or  modify  defined  potential- 
failure  condition. 

Adjust  inspection  Interval  and  age  for 
firat  inspection,  if  applicable. 


proposed 
age-limit  tatks 


Determine  age-reliability  relation- 
ship to  confirm  that  conditional 
probability  of  failure  increases 
with  age. 

If  failures  are  age-related, 
determine  whether  a cost-effective 
uge  limit  exists. 

If  a cost-effective  interval  can  be 
found,  add  task  to  program. 


ilomi  assigned  to 
no  scheduled  maintenance 


Monitor  and  evaluate 
operational  date  to  sec 
whether  tome  appli- 
cable and  effective  tael 
can  be  developed. 
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► Confirmation  that  on-condition  inspections  are  really  measuring 
the  reduction  in  resistance  to  a particular  failure  mode 

► The  actual  rates  of  reduction  in  failure  resistance,  to  determine 
optimum  inspection  intervals 

► The  mechanism  involved  in  certain  failure  modes,  to  identify  new 
forms  of  on-condition  inspection  and  parts  that  require  design 
improvement 

► Identification  of  tasks  assigned  as  default  actions  in  the  initial 
program  which  do  not  prove  applicable  and  effective 

p.  Identification  of  maintenance  package.;  that  are  generating  few 
trouble  reports 

^ Identification  of  items  that  are  not  generating  trouble  reports 

► The  ages  at  which  failures  occur,  so  that  the  applicability  of  sched- 
uled rework  and  discard  tasks  can  be  determined  by  actuarial 
analysis 

Exhibit  5.1  summarizes  the  uses  of  all  this  information  in  refining  and 


major  revisions  '«>  initial  maintenance  program 

results  oi  technological  change 

unanticipated  failure  new  or  changes  in 

modes  or  consequences  redesigned  item  inspection  technology 


Develop  on-condition  teaks  to  prevent 
critical  failure*  and  to  prevent  or 
reduce  frequency  of  expensive  failures 
at  low  agea. 

Develop  design  changes  necessary  for 
permanent  correction  of  problems. 

Develop  failure-finding  tasks  for 
hidden  functions  not  Identified  In 
Initial  program. 

Develop  on-condition  or  other  tasks  to 
control  critical  or  expensive  failures  at 
high  ages,  where  product  improvement 
may  not  be  economically  justified. 


Conduct  RCM  analysis  of  item 
when  it  first  enters  service. 

Refine  maintenance  requirements 
through  ag"  exploiation. 


Evaluate  applicability 
and  effectiveness  of 
ntw  on-condition 
techniques. 


revising  the  initial  maintenance  program.  The  refinements  are  useful, 
but  their  overall  economic  impact  is  usually  quite  small.  The  major 
revisions  are  associated  with  unanticipated  failures,  design  modifica- 
tions, and  the  exploitation  of  new  inspection  technology;  in  this  area 
far  greater  economies  are  realized. 
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5 • 2 REACTING  TO  SERIOUS  FAILURES 


the  preventive-maintenance/ 
redesign  cycle 
the  improvable  failure  rate 
prediction  of  reliability 
improvement 
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After  new  equipment  enters  service  it  may  experience  unanticipated 
types  of  failures  and  failure  consequences.  The  most  serious  of  these 
are  usually  in  the  powerplant  and  the  basic  structure.  Although  such 
failures  can  occur  at  any  point  in  the  life  of  the  equipment,  they  are 
most  likely  to  occur  early  in  operation.  The  first  failure  may  have  such 
serious  implications  for  operating  safety  or  economics  that  all  operating 
organizations  and  the  manufacturer  react  immediately.  Thus  there  is  a 
structured  pattern  of  events  associated  with  unanticipated  failures 
which  results  in  a characteristic  cycle  of  reliability  improvement. 

..  Suppose  the  unforeseen  failure  is  a critical  engine  failure.  As  an 
immediate  step,  engineering  investigations  are  undertaken  to  deter- 
mine whether  some  on-condition  inspection  or  other  preventive  task 
will  be  effective.  This  preventive  measure  may  result  in  a substantial 
increase  in  maintenance  costs.  With  a new  engine  a large  number  of 
engine  removals,  dictated  either  by  the  discovery  of  potential  failures 
or  by  scheduled  removal  of  all  units,  will  also  make  it  difficult  to  pro- 
vide replacement  engines.  The  next  step  is  action  to  redesign  the  parts 
in  which  the  failure  mode  originates.  When  the  new  parts  are  available, 
all  the  engines  in  service  must  then  be  modified  to  incorporate  the 
change.  Not  all  design  changes  are  successful,  and  it  may  take  several 
attempts  over  a period  of  two  or  three  years  to  correct  the  problem. 
Once  the  problem  has  been  eliminated,  the  scheduled-maintenance  tasks 
instituted  to  control  this  type  of  failure  are  no  longer  necessary  and  can 
be  discontinued. 

Exhibit  5.2  illustrates  this  cycle.  A year  after  this  engine  entered 
service  two  critical  failures  occurred  during  a three-month  period.  Both 
failures  were  found  to  be  caused  by  notch  wear  in  the  third-stage  tur- 
bine blades.  Since  this  failure  mode  was  also  found  to  be  detectable  at 
the  potential-failure  stage,  a line-maintenance  on-conditron  inspection 
was  specified  to  check  for  loose  turbine  blades.  Frequent  inspection 
intervals  resulted  in  a large  number  of  Engine  removals  for  this  condi- 
tion, but  removal  of  these  potential  failures  prevented  any  further 
funciional  failures.  The  turbine  blade  was  redesigned,  and  halfway 
through  the  following  year  modification  of  the  existing  engines  was 
started  to  incorporate  the  new  "low-swirl"  blades.  The  on-condition 
inspections  were  continued,  but  as  more  and  more  modified  engines 
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EXHIBIT  5*2  The  pattern  of  events  associated  with  an  unanticipated 
critical  failure  mode  in  the  Pratt  & Whitney  IT4  engine.  The  data 
represent  all  engine  removals  for  this  failure  mode,  the  first  two  as 
functional  failures  and  the  rest  as  potential  failures  found  by  an 
on-condition  task  developed  after  the  first  failure  events.  These 
premature  removals  prevented  all  further  functional  failures,  and  as 
modified  engines  entered  service,  the  number  of  potential  failures 
also  decreased.  When  no  further  potential  failures  were  found, 
the  on-condition  task  was  deleted  from  the  program. 

(United  Airlines) 


entered  service,  the  number  of  premature  removals  (potential  failures) 
dropped.  Finally,  about  three  years  after  the  first  two  failures,  the  on- 
condition  inspections  were  discontinued. 

In  new  equipment  the  scheduled-maintenance  tasks  generated  in 
response  to  early  critical  failures  are  nearly  always  on-condition  inspec- 
tions. Age-limit  tasks  are  not  likely  to  be  feasible,  since  there  are  no 
data  for  actuarial  analysis,  and  in  the  case  of  early  failures,  taking  some 
fraction  of  the  age  at  failure  as  a safe-life  limit  could  easily  be  in- 
effective. Moreover,  a short  safe-life  limit  might  effectively  preclude 
continued  operation  of  the  equipment,  since  it  would  be  difficult  to 
provide  the  labor  and  spare  parts  needed  for  such  intensive  mainte- 
nance. The  definition  of  an  applicable  on-condition  task,  however,  may 
require  great  ingenuity.  The  failure  mode  must  be  determined,  and  a 
specific  part  that  shows  physical  evidence  of  reduced  failure  resistance 
must  be  identified.  Then  some  means  of  inspecting  the  part  while  it  is 
still  installed  must  be  devised. 

Under  these  circumstances  both  the  potential-failure  point  and  the 
inspection  interval  will  be  established  on  a very  conservative  basis.  As 

soon  as  the  on-condition  task  is  implemented,  all  the  equipment  in  SECTION  5*2  117 


--Haiti'' 


Jl. 


service  is  inspected.  This  first  inspection  of  the  fleet  often  leads  to  a 
large  number  of  removals  for  the  newly  defined  potential  fnilure.  The 
. ate  of  removal  after  this  first  inspection  will  be  much  lower,  of  course. 
It  may  be  low  enough  to  justify  increasing  the  initial  conservative  in- 
spection interval,  but  the  inspections  themselves  will  be  continued 
until  experience  has  demonstrated  that  the  problem,  no  longer  exists. 

The  cycle  for  early  structural  difficulties  is  similar.  Once  again,  it  is 
necessary  to  determine  the  failure  mode  and  devise  an  on-condition 
inspection  for  potential  failures.  In  this  case  the  inspections  may  be 
scheduled  as  often  as  once  every  flight  cycle  or  at  intervals  as  long  as 
2,000  or  3,000  flight  cycles.  Again,  even  though  the  incidence  of  poten- 
tial failures  turns  out  to  be  relatively  low  after  the  first  fleet  inspection, 
the  task  itself  ir  continued  until  the  design  can  be  modified. 

Serious  unanticipated  failures  do  not  necessarily  occur  early  in  the 
life  of  new  equipment.  At  later  ages,  however,  such  failures  may  not 
lead  to  design  changes.  The  first  response  is  still  the  same  — the  develop- 
ment of  new  scheduled-mnintenance  tasks.  At  this  stage  the  imposition 
of  safe-life  limits  may  be  both  technically  and  economically  feasible. 
On-condition  tasks  may  also  be  applicable,  but  the  inspections  can  be 
scheduled  to  begin  at  a relatively  high  age  and  may  have  longer  inter- 
vals. Unless  the  failure  mode  is  strongly  related  to  age,  in  which  case  a 
life-limit  task  may  be  more  'ppropriate,  the  number  of  potential  fail- 
ures found  by  on-condition  inspections  will  be  far  lower  than  in  rela- 
tively new  equipment.  Depending  on  the  age  of  the  equipment,  the 
cost  of  redesign  may  not  be  warranted,  since  economic  justification 
depends  on  the  remaining  technologically  useful  life  of  the  equipment. 

One  further  way  of  coping  with  failure  is  to  restrict  operating  pro- 
cedures to  put  less  stress  on  a vulnerable  component  until  it  can  be 
redesigned.  Sometimes  the  opposite  strategy  is  also  useful.  When  no 
specific  potential-failure  condition  can  be  identified,  it  may  be  possible 
to  preempt  a serious  failure  by  inducing  it  under  other  circumstances. 
In  one  such  case  failures  of  a compressor  disk  on  a tail-mounted  turbine 
engine  were  occurring  at  very  low  ages,  and  no  on-condition  inspec- 
tions were  feasible.  It  was  possible  to  keep  the  plane  in  service,  how- 
ever, by  requiring  the  pilot  to  brake  at  the  end  of  the  runway  and  apply 
takeoff  thrust  with  the  aircraft  stationary.  The  peak  stress  on  the  disk 
occurred  when  takeoff  thrust  was  first  applied  and  decreased  as  the  disk 
warmed  up.  Thus  if  the  disk  did  not  fail  during  warmup,  it  was  unlikely 
to  do  so  during  flight.  This  strategy  resulted  in  several  expensive  fail- 
ures, but  they  were  not  critical  on  the  ground,  whereas  the  secondary 
effects  of  disk  failure  would  have  been  critical  in  flight. 

A new  piece  of  complex  equipment  often  experiences  a high  failure 
rate.  Often,  too,  the  majority  of  these  failures  result  from  a smal"  number 
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bilities  of  such  dominant  failure  modes  will  frequently  increase  rapidly 
with  operating  age.  Exhibit  5.3  shows  the  results  of  successive  analyses 
of  an  engine  that  entered  service  in  1964.  At  that  time  its  initial  reli- 
ability was  poo  , the  conditional  probability  of  failure  was  high,  and 
this  probability  increased  rapidly  with  age.  However,  the  increase  v*s 
linear  and  showed  no  identifiable  wearout  zone.  Within  a few  monuis 
the  reliability  of  this  engine  was  substantially  improved  by  design 
modifications  directed  at  the  dominant  failure  modes.  The  initia.  nigh 
failure  rate  brought  the  unmodified  engines  into  the  shop  very  fre- 
quently, which  facilitated  fairly  rapid  incorporation  of  the  modified 
parts.  Consequently  the  conditional  probability  of  failure  continued 
to  drop,  and  ultimately  the  reliability  of  this  engine  showed  no  relation- 
rliip  to  operating  age. 

Once  the  early  dominant  failure  modes  in  an  engine  are  disposed 
of,  it  becomes  increasingly  difficult  to  make  further  improvements. 
Because  of  its  complexity,  the  engine  will  always  be  subject  to  many 
different  failure  modes,  and  some  may  even  bo  dominant.  However, 
the  failure  probability  associated  with  any  given  mode  is  too  low  to 
justify  further  development  of  the  engine.  The  difference  between  an 
item's  initial  and  mature  failure  rate  is  its  improvable  failure  rate—  the 


EXHIBIT  5*3  Results  of  successive  age- reliability  analyses  of  the 
Pratt  & Whitney  JTBD  engine  of  the  Boeing  727.  As  engineering 
improvements  gradually  overcame  dominant  failure  modes,  the 
conditional-probability  curve  continued  to  flatten  unlil  it  eventually 
sho-ved  no  relationship  of  engine  reliability  to  operating  age. 
(United  Airlines) 
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EXHIBIT  5*4  Comparison  of  actual  failure  rates  of  the  Pratt  & 
Whitney  J18P  engine  with  a forecast  made  in  December  1965.  During 
initial  opciilion  the  failure  rate  based  on  small  samples  will  show 
large  variations  in  different  calendar  periods.  However,  since  reliability 
improvement  is  characteristically  exponential,  it  is  possible  to  predict 
the  expected  reduction  in  failure  rate  over  a longer  calendar  period. 
The  temporary  variation  from  the  forecast  level  in  this  case  was  the 
result  of  a new  dominant  failure  mode  which  took  several  years  to 
resolve  by  redesign.  (United  Airlines) 


portion  that  will  be  eliminated  by  product  improvement.  If  a particular 
engine  has  a failure  rate  of  2 per  1,000  hours  when  it  first  enters  service 
and  we  anticipate  that  its  failure  rate  will  ultimately  drop  to  0.3,  then 
the  improvable  failure  rate  is  1.7. 

In  many  cases  the  improvable  failure  rate  declines  exponentially 
over  calendar  time  — that  is,  the  percentage  of  reduction  remains  con- 
stant, although  the  amount  of  reduction  becomes  smaller  as  the  failure 
rate  is  reduced.  This  percentage  has  been  as  much  as  40  percent  a year 
for  engines  in  a commercial-airline  environment.  Such  a high  degree  of 
improvement  is  possible  only  when  a large  number  of  engines  are  in 
service  to  generate  the  failure  data  required  both  to  direct  product 
improvement  and  to  lower  its  unit  cost.  The  fact  that  improvement  is 
characteristically  exponential  enables  us  to  plot  reliability  growth  in 
new  equipment  with  a fair  degree  of  success.  Exhibit  5.4  shows  a corn- 
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1965.  The  forecast  was  reasonably  good  until  1968,  when  a new  failure 
mode  became  dominant.  This  problem  took  nearly  three  years  to  re- 
solve, after  which  the  failure  rate  dropped  back  to  the  forecast  level. 


5 * 3 REFINING  THE  MAINTENANCE  PROGRAM 

The  maintenance  tasks  added  in  response  to  unanticipated  failures  are  adjusting  task  intervals 
only  one  aspect  of  the  age-exploration  process.  At  the  time  the  initial  uses  of  actuarial  analysis 
program  is  developed  certain  reliability  characteristics  are  unknown. 

For  example,  the  ability  to  measure  reduced  failure  resistance  can  be 
determined,  but  there  is  no  information  on  the  actual  rate  of  reduction 
as  various  items  age  in  service.  Similarly,  the  information  necessary  to 
evaluate  cost  effectiveness  and  age-reliability  relationships  becomes 
available  only  after  the  equipment  has  been  in  service  for  some  time. 

Once  the  maintenance  program  goes  into  effect,  the  results  of  the  sched- 
uled tasks  provide  the  basis  for  adjusting  the  initial  conservative  task 
intervals,  and  as  further  operating  data  become  available  the  default 
decisions  made  in  the  absence  of  information  are  gradually  eliminated 
from  the  program. 

ADJUSTING  TASK  INTERVALS 

As  part  of  the  initial  program  many  items  are  scheduled  for  frequent 
sample  inspections  to  monitor  their  condition  and  performance,  and 
other  tasks  are  assigned  conservatively  short  initial  intervals.  All  these 
tasks  are  then  packaged  for  implementation.  If  the  first  few  units  to 
reach  this  check  limit  show  no  unsatisfactory  conditions,  it  is  safe  to 
assume  that  the  task  interval  for  the  remaining  units  can  be  extended. 

Any  equipment  that  has  aged  to  the  present  check  limit  is  designated  a 
time-extension  sample. 

In  many  cases,  as  we  saw  in  Chapter  4,  the  required  number  of 
samples  is  provided  by  opportunity  samples,  units  that  are  available 
for  inspection  because  they  have  failed  for  some  reason  related  to  only 
one  failure  mode.  In  the  case  of  engines,  for  example,  the  availability  of 
samples  of  a particular  part  depends  on  the  number  of  shop  visits  occa- 
sioned by  failures  in  the  section  of  the  engine  containing  that  part. 

Since  a new  type  of  engine  is  far  more  likely  to  experience  failures  of 
components  in  the  hot  section  than  in  the  cold  section,  the  engine  data 
in  Exhibit  5.5  show  far  more  opportunity  samples  for  the  exit  guide- 
vane  assembly  than  for  the  compressor  assembly.  In  both  cases,  how- 
ever, opportunity  sampling  provided  a means  of  inspecting  these  parts 
as  they  aged  in  service.  Since  tiiere  was  no  great  difference  between  the 
age  of  the  highest-time  installed  part  and  the  age  of  the  highest-time 
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EXHIBIT  5'S  Effectiveness  of  opportunity  sampling  of  the  Pratt  & 
Whitney  JT8D  engine.  Opportunity  samples  of  the  exit  guide-vane 
assembly  (black)  were  more  abundant  than  samples  of  the  high- 
compressor  assembly  (red),  but  at  every  age  the  highest-time  installed 
unit  was  only  slightly  older  than  the  highest-time  inspected  sample. 
Thus  any  unsatisfactory  condition  detected  in  the  sample  would  be 
found  before  the  remaining  installed  units  had  reached  this  age. 
(United  Airlines) 


items  until  the  age  at  which  the  sample  units  began  to  show  signs  of 
deterioration. 

Task  intervals  for  systems  and  structural  items  are  ordinarily  in- 
creased by  increasing  the  interval  of  the  letter-check  package  in  which 
they  have  been  included.  However,  if  the  inspection  reports  indicate 
that  the  interval  for  some  particular  task  in  this  package  should  not  be 
extended,  the  task  must  be  moved  to  another  package.  task  originally 
assigned  to  the  C-check  package,  for  .instance,  might  be  reassigned  to 
the  package  designated  for  every  second  B check.  Conversely,  there  will 
be  tasks  whose  original  intervals  now  appear  far  too  conservative.  In 
this  case  the  task  interval  might  be  increased,  say,  from  C2  to  C4  at  the 
same  time  that  the  C-check  interval  itself  is  being  revised  upward.  The 
same  result  can  be  achieved,  of  course,  by  leaving  the  intervals  of  all 
packages  fixed  and  moving  all  tasks  from  one  package  to  another. 

The  management  of  maintenance  packages  requires  careful  plan- 
ning. First,  a schedule  is  needed  for  conducting  the  analysis  necessary 
to  support  each  interval  extension.  This  schedule  must  allow  time  for 
the  first  few  units  that  have  entered  service  to  age  to  the  existing  check 
122  THEORY  AND  PRINCIPLES  limit,  and  also  time  for  the  analysis  necessary  to  assess  the  desirability 


of  extending  the  limit.  The  results  of  all  inspections  and  corrective  work 
performed  on  these  sample  units  must  be  carefully  analyzed  so  that  the 
tasks  for  which  intervals  should  not  be  extended  can  be  moved  to  more 
compatible  packages.  Tasks  producing  marginal  results  may  stay  with 
the  original  package,  but  they  should  be  noted  for  future  attention.  A 
hard-time  directory  is  usually  maintained  to  identify  tasks  for  which  a 
maximum  interval  appears  likely.  These  tasks  require  closer  study  than 
the  others,  and  maintenance  planning  is  facilitated  by  advance  knowl- 
edge that  they  may  be  moved  to  a different  package  in  the  near  future. 

USES  OF  ACTUARIAL  ANALYSIS  IN  ACE  EXPLORATION 

Whereas  serious  unanticipated  failures  prompt  an  immediate  response, 
action  on  infrequent  failures  or  those  with  no  major  consequences  is 
usually  delayed  until  enough  information  has  been  gathered  to  make  a 
full  assessment  of  possible  maintenance  remedies.  This  is  particularly 
true  with  regard  to  rework  tasks,  since  these  tasks  are  applicable  only 
if  the  conditional-probability  curve  shows  that  an  item  has  an  identifi- 
able wearout  zone.  Such  curves  are  the  result  of  an  actuarial  analysis  in 
which  the  number  of  failures  during  various  age  intervals  are  measured 
in  terms  of  the  total  exposure  of  the  item  (total  operating  time  for  all 
units)  and  the  probability  of  survival  to  that  age  interval. 

An  actuarial  analysis  does  not  require  hundreds  of  failure  events. 

A survival  curve  can  be  constructed  from  the  data  on  20  functional  fail- 
ures, and  if  necessary,  from  a sample  of  10.  However,  since  it  takes 
several  thousand  operating  hours  to  accumulate  this  many  occurrences 

of  a given  type  of  failure,  there  is  sometimes  concern  about  a surge  of  .} 

failures  as  a result  gf  wearout  after  a certain  age.  If  all  the  units  in  service 
were  the  same  age  this  might  be  the  case,  but  because  of  the  slow 
buildup  of  a fleet  of  airplanes,  the  ages  of  the  units  in  service  are  widely 
distributed.  If  the  item  is  very  reliable  at  lower  ages,  and  the  first  failure 
does  not  occur  until  some  time  after  the  fleet  has  reached  full  strength, 
the  age  distribution  of  the  in-service  units  at  that  time  will  be  the  same 
as  h t of  the  planes  in  the  fleet.  This  means  that  there  may  be  a differ- 
ent? of  five  years  or  more  between  the  ages  of  the  oldest  unit  and  the 
n »•>  -i  one.  If  ' e item  is  not  that  reliable,  there  will  be  even  fewer 
Vgn-tirue  ur>r  since  many  of  the  units  on  the  older  airplanes  will  be 
.placements  for  units  that  have  already  failed. 

It  is  this  distribution  in  the  ages  of  in-service  units  of  an  item  that 
makes  it  feasible  to  use  actuarial  analysis  as  a tool  for  age  exploration. 

If  it  is  found  that  there  is  a sharp  increase  in  the  likelihood  of  failure  at 
higher  ages,  there  is  ample  time  to  take  preventive  steps,  since  very  few 
units  are  actually  approaching  the  "cliff"  when  it  is  discovered.  It  fol- 
lows that  attention  is  concentrated  on  the  failure  behavior  of  the  oldest 
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can  be  added  to  the  maintenance  program  long  before  the  other  units 
reach  this  age. 

Exhibit  5.6  shows  the  «c’ilt«  — _^uanai  analysis  conducted  to 
J~L — • turn,  . .ework  of  a turbine  engine  would  be  an 

applicable  task.  The  upper  curve  shows  the  total  conditional  probability 
for  all  units  removed  and  sent  to  the  shop  for  corrective  work,  and  the 
lower  curve  shows  the  conditional  probability  of  functional  failures  as 
reported  by  the  operating  crew.  The  distance  between  these  two  curves 
at  any  age  represents  the  conditional  probability  of  potential  failures 
detected  by  on -condition  inspections.  It  is  functional  failures  that  have 
safety  or  operational  consequences,  and  the  conditional  probability  of 
such  failures  in  this  case  is  constant.  Since  functional  failures  are  inde- 
pendent of  the  time  since  engine  installation  (last  shop  visit),  operating 
age  is  not  a factor  in  the  failure  rate,  and  a rework  task  is  therefore  not 
applicable. 

The  conditional-probability  curve  that  includes  potential  failures 
does  show  an  increase  with  increasing  age.  However,  we  do  not  want  to 
reduce  the  incidence  of  potential  failures  except  by  redesign,  since  these 
inspections  for  potential  failures  are  clearly  effective  in  reducing  the 
number  of  functional  failures.  As  ,t  is,  each  engine  can  remain  in  oper- 
ation until  a potential  failure  is  detected,  and  under  these  conditions 


EXHIBIT  S'6  Conditional-probability  curves  for  the  General  Electric 
CF6-6  engine  of  the  Douglas  DC-10.  The  upper  curve  shows  the  total 
number  of  premature  removals  for  botl.  functional  and  potential 
failures,  and  the  lower  curve  shows  the  number  of  these  units  removed 
as  functional  failures.  Although  the  rate  of  potential  failures  increases 
with  operating  age,  as  a result  of  effective  on-condition  inspections 
the  functional-failure  rate  is  kept  in  check  and  shdws  no  increase  with 
age.  (United  Airlines)  ■ 
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EXHIBIT  5*7  Partitioning  of  a conditional-probability  c 'rve  to  show 
the  number  of  unverified  failures  and  the  number  of  verified  failures 
resulting  from  each  of  three  failure  modes.  Note  that  the  only  high 
Infant  mortality  occurs  from  failure  mode  A;  this  results  in  an 
upturn  of  the  curves  above  it  in  a layered  representation. 

there  is  no  increase  in  the  functional-failure  rate  with  age.  Thus  the 
on-condition  task  itself  prevents  a wearout  zone  for  functional  failures 
and  at  the  same  time  permits  each  engine  to  realize  almost  all  of  its 
useful  life. 

The  relationship  of  verified  and  unverified  failures  can  be  exam- 
ined in  the  same  way  to  determine  the  effectiveness  of  troubleshooting 
methods.  This  information  is  of  value  to  those  concerned  with  stocking 
and  allocating  replacement  units  and  spare  parts,  but  it  is  also  impor- 
tant in  identifying  the  actual  characteristics  of  verified  failures,  so  that 
the  failure  mode  can  be  pinpointed  more  exactly  and  a more  accurate 
potential-failure  condition  can  be  defined. 

Exhibit  5.7  shows  the  various  age-reliability  relationships  that  can 
be  developed  for  an  item  subject  to  several  different  failure  modes.  The 
upper  curve  shows  the  conditional  probability  for  all  reported  failures, 
and  the  curve  below  it  shows  the  conditional  probability  of  verified 
failures.  The  distance  between  these  two  curves  represents  the  prob- 
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ability  of  unscheduled  removals  of  units  that  are  actually  serviceable. 
Thus  the  first  curve  represents  the  apparent  reliability  of  the  item  and 
the  second  curve  represents  its  actual  reliability. 

To  determine  how  we  might  improve  the  reliability  of  this  item  we 
must  examine  the  contribution  of  each  failure  mode  to  the  total  of  veri- 
fied failures.  For  example,  failure  modes  A and  B show  no  increase  with 
increasing  age;  hence  any  attempt  to  reduce  the  adverse  age  relation- 
ship must  be  directed  at  failure  mode  C.  There  is  also  a fairly  high  con- 
ditional probability  of  failure  immediately  after  a shop  visit  as  a result 
of  high  infant  mortality  from  failure  mode  A.  The  high  incidence  of 
early  failures  from  this  failure  mode  could  be  due  to  a problem  in  shop 
procedures.  If  so,  the  difficulty  might  be  overcome  by  changing  shop 
specifications  either  to  improve  quality  control  or  to  break  in  a repaired 
unit  before  it  is  returned  to  service.  In  the  case  of  aircraft  engines,  for 
example,  shop  procedures  in  commercial  airlines  include  a test-cell  run 
at  the  end  of  the  shop  process,  during  which  some  engines  are  rejected 
and  sent  back  for  further  work.  These  test-cell  rejects  do  not  appear  in 
the  failure  count,  since  this  count  begins  only  after  the  engine  is  in- 
stalled on  the  aircraft. 

An  actuarial  analysis  such  as  that  in  Exhibit  5.7  can  direct  improve- 
ments toward  a great  many  different  areas  by  indicating  which  factors 
are  actually  involved  in  the  failure  behavior  of  the  item.  An  analysis  of 
the  Boeing  72 7 generator,  for  example,  showed  that  the  conditional 
probability  of  generator  failure  did  not  increase  with  age  until  bearing 
failures  started  at  an  age  of  2,000  hours.  This  failure  mode  u sually  results 
in  destruction  of  the  generator.  Since  a new  generator  costs  about  $2,500, 
as  opposed  to  $50  for  a bearing  replacement,  a generator  rework  task 
during  which  the  bearing  was  discarded  was  both  applicable  and  cost- 
effective  at  4,000-hour  intervals. 

5*4  REVISIONS  IN  MAINTENANCE  REQUIREMENTS 

new  diagnostic  techniques  The  maintenance  tasks  instituted  in  response  to  serious  unanticipated 
design  changes  failures  are  usually  interim  measures,  intended  to  control  the  problem 
until  it  can  be  resolved  by  redesign.  Two  kinds  of  technological  change, 
however,  may  lead  to  revision  of  the  requirements  for  scheduled  main- 
tenance: the  development  of  new  diagnostic  techniques  and  modifica- 
tion of  the  present  equipment. 

NEW  DIAGNOSTIC  TECHNIQUES 

Most  on-condition  inspections  are  diagnostic  techniques,  since  they 
measure  resistance  to  failure  to  identify  specific  problems.  The  earliest 
and  simplest  technique  used  for  aircraft  was  visual  examination,  per- 
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by  development  of  the  borescope.  Numerous  other  techniques  have 
been  developed  for  detecting  cracks  in  metallic  items,  such  as  eddy- 
current,  magnaflux,  and  zyglo  inspections,  Radiography  is  also  widely 
employed,  not  only  for  detecting  cracks,  but  also  to  check  clearances  and 
changes  in  configuration  without  the  need  to  disassemble  the  item. 

A useful  diagnostic  technique  must  be  able  to  detect  some  specific 
condition  that  can  confidently  be  defined  as  a potential  failure.  It  should 
be  sufficiently  accurate  to  identify  all  units  that  have  reached  this  con- 
dition without  including  a large  number  of  units  for  which  failure  is 
remote.  In  other  words,  such  techniques  mus  provide  a high  power  of 
discrimination.  The  demand  for  such  discrimination  depends  in  part 
on  the  consequences  of  failure.  A technique  with  low  resolving  power 
might  be  of  value  for  single-engine  aircraft  if  it  prevented  even  a small 
number  of  engine  failures,  despite  the  fact  that  if  caused  numerous 
unjustified  removals.  For  a multiengine  aircraft  the  same  technique 
would  be  unnecessary  as  a safety  precaution  and  undesirable  in  eco- 
nomic terms. 

Certain  diagnostic  techniques  appear  to  have  great  potential  but 
will  require  further  development  before  they  can  be  universally  adopted. 
For  example,  spectrographic  analysis  is  sometimes  used  to  detect  wear  in 
metal  parts  by  measuring  the  concentration  of  metallic  elements  in 
lubricating  oil.  In  many  cases,  however,  it  has  been  difficult  to  define  a 
failure  condition  related  to  the  metal  ncentrations.  Parts  have  failed 
without  the  expected  warning,  and  warnings  have  not  necessarily  been 
associated  with  imminent  failure.  Even  a change  in  the  brand  of  oil  may 
necessitate  new  criteria  for  interpreting  the  analysis.  Nevertheless,  if 
the  failure  is  one  with  major  consequences,  even  a low  incidence  of 
successful  interpretations  (and  prevented  failures)  may  offset  the  cost 
of  the  inspections  that  produced  no  useful  information. 

Another  recent  technique  is  the  use  of  computerized  airborne  inte- 
grated data  systems  (AIDS),  which  measure  and  record  the  performance 
characteristics  of  many  items  for  later  study.  Some  of  these  character- 
istics, especially  in  powerplants,  are  also  monitored  by  the  normal  flight 
instrumentation,  but  the  data  are  not  automatically  recorded  and  inte- 
grated with  other  data.  This  procedure  opens  up  the  possibility  of 
correlating  performance  trends  with  the  likelihood  of  failures,  or  "estab- 
lishing a signature"  for  the  failure  mode.  By  revealing  a previously  over- 
looked indication  of  reduced  resistance  to  failure,  AIDS  may  make  it 
possible  to  prevent  certain  functional  failures  by  on-condition  main- 
•enance.  The  new  data  systems  have  in  fact  assisted  in  troubleshooting, 
and  they  have  indicated  engine  conditions  that  increase  the  stress  on 
certain  internal  parts.  However,  their  success  in  performing  a true  (and 
continuous)  on-condition  surveillance  has  so  far  been  limited.  Once 
again,  this  system  may  be  worth  i”hile  for  some  organizations  if  analysis 
convinces  them  that  the  value  of  its  contribution  outweighs  its  costs. 


As  we  have  seen,  scheduled  rework  tasks  have  limited  applica- 
bi,:ty,  and  discard  tasks  apply  only  under  rather  special  circumstances. 
Major  improvements  in  maintenance  effectiveness  depend,  therefore, 
on  expanded  use  of  diagnostic  techniques.  The  search  for  additional 
techniques  continues,  and  the  economic  desirability  of  such  new  devel- 
opments must  be  reevaluated  from  time  to  time. 

DESIGN  CHANGES 

The  product-improvement  process  is  also  a factor  in  changing  main- 
tenance requirements,  since  design  modifications  may  change  the  reli- 
ability characteristic  of  items  either  intentionally  or  otherwise.  Hidden 
functions  may  be  added  or  removed,  critical-failure  modes  may  be 
added  or  removed,  dominant  failure  modes  and/or  age-reliability  char- 
acteristics may  be  altered,  and  redesign  may  change  the  applicability  of 
on-condition  tasks. 

Whenever  an  item  is  substantially  modified,  its  maintenance  re- 
quirements must  be  reviewed  It  may  also  be  necessary  to  repeat  the 
age-exploration  process  for  such  items,  both  to  find  out  whether  the 
modifications  have  achieved  their  intended  pmpose  and  to  determine 
how  these  modifications  affect  existing  maintenance  requirements  for 
the  item.  Finally,  entirely  new  items  are  added  to  most  equipment  dur- 
ing its  service  life.  Initial  requirements  must  be  developed  for  each  of 
these  items,  to  be  modified  as  necessary  when  operating  data  on  them 
become  available. 

5*5  THE  PRODUCT-IMPROVEMENT  PROCESS 

determining  the  need  for  In  the  course  of  evaluating  the  maintenance  requirements  of  complex 
product  improvement  equ,pment  many  items  will  be  found  that  cannot  benefit  from  sched- 
de,o7'producthfmprovement  uled  maintenance,  either  because  there  is  no  applicable  preventive  task 
information  requirements  or  because  the  available  forms  of  prevention  cannot  provide  the  level  of 
the  role  of  product  improvement  reliability  necessary.  Because  of  the  inherent  conflict  between  perfor- 
in equipment  development  mance  requirements  and  reliability  requirements,  the  reliability  prob- 
lems identified  and  corrected  during  early  operations  are  reaiiy  a part 
of  the  normal  development  cycle  of  high-performance  equipment. 

The  degree  of  reliability  that  can  be  achieved  by  preventive  main- 
tenance is  limited  by  the  equipment  itself.  Thus  a product  may  be 
deemed  unsatisfactory  for  any  of  the  following  reasons: 

► Exposure  to  critical  failures 

► Exposure  to  failures  that  unduly  reduce  operational  capability 

► Unduly  high  maintenance  costs 
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Failures  may  result  from  the  stress  and  wear  associated  with  the  normal 
operation  of  the  ih  m,  or  they  may  be  caused  by  external  factors  such 
as  lightning  strikes,  bird  ingestion,  corrosive  environments,  and  so  on. 
Product  improvement  to  increase  resistance  to  these  external  factors 
may  be  just  as  necessary  as  modifications  to  withstand  the  effects  of 
the  normal  operating  environment. 

DETERMINING  THE  NEED  FOR  PRODUCT  IMPROVEMENT 

Product  improvement  directed  toward  better  reliability  may  take  a 
number  of  forms.  An  item  may  be  modified  to  prevent  critical  failures, 
to  eliminale  a particularly  expensive  failure  mode,  or  to  reduce  its  over- 
all failure  rate.  The  equipment,  or  an  item  on  it,  may  be  modified  to 
facilitate  replacement  of  a failed  unit,  to  make  a hidden  function  visible, 
to  incorporate  features  that  make  on-condition  inspections  feasible,  or 
to  add  redundant  features  which  alter  the  consequences  of  failure. 

Product  improvement  is  expensive.  It  involves  the  cost  of  redesign 
and  the  manufacture  of  new  parts  or  whole  new  items.  The  operating 
organization  also  incurs  the  direct  cost  of  modifying  the  existing  equip- 
ment and  perhaps  the  indirect  cost  of  taking  it  out  of  service  while  such 
modifications  are  being  incorporated.  Further  risks  are  always  intro- 
duced when  the  design  of  high-performance  equipment  is  changed, 
and  there  is  no  assurance  that  the  first  ath  npt  at  improvement  will 
eliminate  or  even  alleviate  the  problem  at  which  improvement  is 
directed.  For  this  reason  it  is  important  to  distinguish  between  situ- 
ations in  which  product  improvement  is  necessary  and  those  in  which 
it  is  desirable. 

The  decision  diagram  in  Exhibit  5.8  is  hel}  tl  in  evaluating  the 
necessity  or  desirability  of  initiating  design  changes.  In  this  case  the 
answers  to  the  decision  questions  are  all  based  on  operating  experi- 
ence. As  always,  the  first  consideration  is  safety: 


Does  the  failure  cause  a loss  of  function  or  secondary  damage  that  could 
have  a direct  adverse  effect  on  operating  safety? 


If  the  answer  to  this  question  is  yes  the  next  concern  is  whether  such 
failures  can  be  controlled  at  the  maintenance  level: 


Are  present  preventive  measures  effectively  avoiding  such  failures? 


If  the  answer  is  no,  then  the  safety  hazard  has  not  been  resolved.  In  this 
case  the  only  recourse  is  to  remove  the  equipment  from  service  until 
the  problem  can  be  solved  by  redesign.  Clearly,  product  improvement 
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Improvement  1*  Improvement  is  Improvement  is  Improvement  is  Improvement  is 

desirable  not  justified  required  desirable  not  justified 


EXHIBIT  5*8  Decision  diagiam  to  determine  whether  product 
improvement  is  required  or  merely  desirable  if  it  is  cost-effective. 
Unless  product  improvement  is  required  for  safety  reasons,  its  cost 
effectiveness  must  be  assessed  (see  Exhibit  5.9)  to  determine  whether 
the  improvement  is  in  fact  economically  desirable. 


If  the  present  preventive  measures  are  effectively  controlling  criti- 
cal failures,  then  product  improvement  is  not  necessary  for  safety  rea- 
sons. However,  the  problem  may  seriously  restrict  operating  capability 
or  result  in  unduly  expensive  maintenance  requirements.  It  is  therefore 
necessary  to  investigate  the  possibility  of  reducing  these  costs: 


Is  product  improvement  cost-effective? 


Here  we  are  concerned  solely  with  economics.  As  long  as  the  safety 
hazard  has  been  removed,  the  only  issue  now  is  the  cost  of  the  preven- 
tive measures  employed.  By  the  same  token,  if  the  answer  to  the  first 
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may  still  have  costly  operational  consequences.  Thus  a no  answer  to  the 
safety  question  brings  us  directly  to  the  question  of  cost  effectiveness. 

DETERMINING  THE  DESIRABILITY  OF  PRODUCT  IMPROVEMENT 

There  is  no  hard-and-fast  rule  for  determining  when  product  improve- 
ment will  be  cost-effective.  The  major  variables  can  be  identified,  but 
the  monetary  values  assigned  in  each  case  depend  not  only  on  direct 
maintenance  costs,  but  on  a variety  of  other  shop  and  operating  costs, 
as  well  as  on  the  plans  for  continuing  use  of  the  equipment.  All  these 
factors  must  be  weighed  against  the  costs  of  product  improvement. 

An  operating  organization  is  always  faced  with  a larger  number  of 
apparently  cost-effective  improvement  projects  than  are  physically  or 
economically  feasible.  The  decision  diagram  in  Exhibit  5.9  is  helpful  in 
ranking  such  projects  and  determining  whether  a proposed  improve- 
ment is  likely  to  produce  discernible  results  within  a reasonable  length 
of  time. 

The  first  question  in  this  case  concerns  the  anticipated  further  use 
of  the  equipment: 

Is  the  remaining  technologically  useful  life  of  the  equipment  high? 

Any  equipment,  no  matter  how  reliable,  will  eventually  be  outmoded 
by  new  developments.  Product  improvement  is  not  likely  to  result  in 
major  savings  when  the  equipment  is  near  the  end  of  its  technologi- 
cally useful  life,  whereas  the  elimination  of  excess  costs  over  a span  of 
eight  or  ten  years  of  continued  service  might  represent  a substantial 
saving. 

Some  organizations  require  for  budget  approval  that  the  costs  of 
product  improvement  be  self-liquidating  over  a short  period  — say,  two 
years.  This  is  equivalent  to  setting  the  operational  horizon  of  the  equip- 
ment at  two  years.  Such  a policy  reduces  the  number  of  projects  initi- 
ated on  the  basis  of  projected  co*’.  Oenefits  and  ensures  that  only  those 
projects  with  relatively  high  payback  are  approved.  Thus  if  the  answer 
to  this  first  question  is  no,  we  can  usually  conclude  that  product  im- 
provement is  not  justified.  If  the  economic  consequences  of  failure  are 
very  large,  it  may  be  more  economical  to  retire  the  equipment  early 
than  to  attempt  to  modify  it.  ’ 

The  case  for  product  improvement  is  obviously  strengthened  if  an 
item  that  will  remain  in  service  for  some  time  is  also  experiencing  fre- 
quent failures: 


'niprovement  is  Improvement  is 

desirable  not  justified 


If  the  answer  to  this  question  is  yes,  we  must  consider  the  economic 
consequences  of  failure: 


Does  the  failure  involve  major  operational  consequences? 


Even  when  the  failures  have  no  operational  consequences,  there  is 
another  economic  factor  to  be  taken  into  account: 


Is  the  cost  of  scheduled  and/or  corrective  maintenance  high? 


Note  that  this  last  question  may  be  reached  by  more  than  one  path. 
With  a no  answer  to  the  failure-rate  question,  scheduled  maintenance 
may  be  effectively  preventing  functional  failures,  but  only  at  great  cost. 
With  a no  answer  to  the  question  of  operational  consequences,  func- 
tional failures  may  not  be  affecting  operating  capability,  but  the  failure 
mode  may  be  one  that  results  in  exceedingly  high  repair  costs.  Thus  a 
yes  answer  to  either  of  the  two  preceding  questions  brings  us  to  the 
question  of  product  improvement: 


Are  there  specific  costs  which  might  be  eliminated  by  product 
improvement? 


This  question  concerns  both  the  imputed  costs  of  reduced  operational 
capability  and  the  more  tangible  costs  associated  with  maintenance 
activities.  Unless  these  costs  are  related  to  a specific  design  character- 
istic, however,  it  is  unlikely  that  the  problem  will  be  eliminated  by 
product  improvement.  Hence  a no  answer  to  this  question  means  the 
economic  consequences  of  this  failure  will  probably  have  to  be  borne. 

If  the  problem  can  be  pinned  down  to  a specific  cost  element,  then 
the  economic  potential  of  product  improvement  is  high.  But  is  this 
effort  likely  to  produce  the  desired  results? 


Is  there  a high  probability,  with  existing  technology,  that  an  attempt 
at  product  improvement  will  be  successful? 


Although  a particular  improvement  might  be  very  desirable  econom- 
ically, it  may  not  be  feasible.  An  improvement  directed  at  one  failure 
mode  may  unmask  another  failure  mode,  requiring  several  attempts 
before  the  problem  is  solved.  If  informed  technical  opinion  indicates 
that  the  probability  of  success  is  low,  the  proposed  improvement  is 
unlikely  to  be  economically  worthwhile. 


If  the  improvement  under  consideration  has  survived  the  screening 
process  thus  far,  it  warrants  a formal  economic-tradeoff  study: 

Does  an  economic-tradeoff  study  show  an  expected  cost  benefit? 

The  tradeoff  study  must  compare  the  expected  reduction  in  costs  during 
the  remaining  useful  life  of  the  equipment  with  the  costs  of  obtaining 
and  incorporating  the  improved  item.  The  expected  benefit  is  then  the ' 
projected  saving  if  the  first  attempt  at  improvement  is  successful,  multi- 
plied by  the  probability  of  success  at  the  first  try.  Alternatively,  it  might 
be  considered  that  the  improvement  will  always  be  successful,  but  only 
a portion  of  the  potential  savings  will  be  realized. 

There  are  some  situations  in  which  it  may  be  necessary  to  proceed 
with  an  improvement  even  though  it  does  not  result  in  an  actual  cost 
benefit.  In  this  case  it  is  possible  to  work  back  through  the  set  of  deci- 
sion questions  and  determine  the  values  that  would  have  to  be  ascribed 
for  the  project  to  break  even.  Also,  improvements  in  the  form  of  in- 
creased redundancy  can  often  be  justified  when  redesign  of  the  offend- 
ing item  is  not.  This  type  of  justification  is  not  necessary  of  course, 
when  the  in-service  reliability  characteristics  of  an  item  are  specified 
by  contractual  warranties  or  when  there  is  a need  for  improvement  for 
reasons  other  than  cost. 

INFORMATION  REQUIREMENTS 

No  manufacturer  has  unlimited  resources  for  product  improvement.  He 
needs  to  know  which  modifications  to  his  product  are  necessary  and 
which  are  sufficiently  desirable  for  him  to  risk  the  cost  of  developing 
them.  This  information  must  come  from  the  operating  organizations, 
who  are  in  the  best  position  to  determine  the  consequences  and  costs 
of  various  types  of  failures  measure  their  frequency,  and  define  the 
specific  conditions  that  they  consider  unsatisfactory. 

Opinions  will  differ  from  one  organization  to  another  about  the 
desirability  of  specific  improvements,  both  because  of  differences  iri 
failure  experience  and  because  of  differing  definitions  of  a failure.  A 
failure  with  safety  consequences  in  one  operating  context  may  have 
only  operational  consequences  in  another,  and  operational  conse- 
quences that  are  major  for  one  organization  may  not  be  significant  for 
another.  Similarly,  the  costs  of  scheduled  and  corrective  maintenance 
will  vary  and  will  also  have  different  economic  impacts,  depending  on 
the  resources  of  each  organization.  Nevertheless,  the  manufacturer 


must  assess  the  aggregate  experience  of  the  various  users  and  decide 
which  improvements  will  be  of  greatest  value  to  the  entire  group. 

With  any  new  type  of  equipment,  therefore,  the  operating  organi- 
zation must  start  with  the  following  assumptions: 


► Certain  items  on  the  equipment  will  need  improvement. 

► Requests  for  improvement  must  be  supported  by  reliability  and 
cost  data. 

► Specific  information  on  the  failure  mode  must  be  provided  as  a 
basis  for  redesign. 

Critical  failures  must  be  reported  by  a safety-alert  system  so  that 
all  operating  organizations  can  take  immediate  action  against  identified 
safety  hazards.  Failure  with  other  operational  consequences  are  reported 
at  short  intervals  so  that  the  cost  effectiveness  of  product  improvement 
can  be  assessed  as  soon  as  possible.  The  airline  industry  imputes  high 
costs  to  delayed  or  cancelled  flights/  and  these  events  are  usually  re- 
port 'n  a daily  basis.  In  military  applications  it  is  important  that 
Opc:  . ata,  especially  peacetime  exercise  data,  be  examined  care- 

fui. . '„r  its  implications  for  operational  readiness. 

bur  items  whose  failure  has  no  operational  consequences,  the  only 
unification  for  product  improvement  is  a substantial  reduction  in 
support  costs.  Many  of  these  items  will  be  ones  for  which  there  is  no 
applicable  and  effective  form  of  preventive  maintenance.  In  this  case 
statistical  reliability  reports  at  monthly  or  quarterly  intervals  are  suffi- 
cient to  permit  an  assessment  of  the  desirability  of  product  improve- 
ment. The  economic  benefits  of  redesign  will  usually  not  be  as  great 
under  these  circumstances.  In  general,  the  information  requirements 
for  product  improvement  are  similar  to  those  for  management  of  the 
ongoing  maintenance  program.  In  one  case  the  information  is  used  to 
determine  necessary  or  desirable  design  modifications  and  in  the  other 
it  is  used  to  determine  necessary  or  desirable  modifications  in  the 
maintenance  program. 

THE  ROLE  OF  PRODUCT  IMPROVEMENT  IN  EQUIPMENT  DEVELOPMENT 

The  role  of  the  product-improvement  process  in  the  development  of 
new  equipment  is  exemplified  by  the  history  of  a fleet  of  Boeing  747's. 
The  first  planes  in  this  fleet  went  into  operation  in  1970  and  the  last  four 
planes  were  delivered  in  1973.  By  April  1976  the  airline  had  issued  a 
total  of  1,781  change-order  authorizations.  Of  this  total,  85  of  the  design 
changes  were  required  by  regulatory  agencies,  801  were  the  result  of 
altered  mission  requirements  by  the  airline,  and  895  were  required  by 
unsatisfactory  reliability  characteristics.  The  cumulative  number  of 
these  change  orders  over  the  first  six  years  of  operation  is  shown  in 
Exhibit  5.10.  Most  of  the  change  orders  to  meet  regulatory  requirements 
were  issued  in  compliance  with  FAA  airworthiness  directives.  Such 
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EXHIBIT  5 *10  History  of  change-order  authorizations  for  design 
improvements  in  the  Boeing  747  (top)  and  histoiv  of  FAA 
airworthiness  directives  issued  over  the  same  time  period  (bottom). 
(United  Airlines) 


Operating  age  of  oldest  airplane  (flight  hours) 
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The  895  design  changes  required  to  improve  reliability  character- 
istics did  not  include  those  associated  with  critical  failures.  They  con- 
sisted of  the  following  types  of  product  improvement: 

^ Those  desirable  to  prevent  or  reduce  the  frequency  of  conditions 
causing  delays,  cancellations,  or  substitutions  (495) 

► Those  desirable  to  improve  structural  fatigue  life  and  reduce  the 
need  for  frequent  inspection  and  repairs  (184) 

Those  desirable  to  prevent  or  reduce  the  frequency  of  conditions 
considered  to  compromise  ground  or  flight  safety  (214) 

All  these  changes  were  based  on  information  gathered  from  actual 
operations  after  the  equipment  went  into  service.  Such  information  is 
an  essential  part  of  the  development  cycle  in  all  complex  equipment. 


5 • 6 RCM  PROGRAMS  FOR 
IN-SERVICE  EQUIPMENT 

The  decision  process  outlined  in  Chapter  4 was  discussed  in  terms  of  use  of  available  information 
new  equipment.  However,  this  procedure  also  extends  to  the  develop-  expected  benefits 
ment  of  ar.  RCM  program  for  equipment  that  is  already  in  service  and 
is  being  supported  by  a scheduled-maintenance  program  developed  on 
some  other  basis.  In  this  case  there  will  be  much  less  need  for  default 
answers,  since  considerable  information  from  operating  experience  is 
already  available.  For  example,  there  will  be  at  least  some  information 
about  the  total  failure  rate  of  each  item,  the  actual  economic  conse- 
quences of  various  kinds  of  failures,  what  failure  modes  lead  to  loss  of 
function,  which  cause  major  secondary  damage,  and  which  are  domi- 
, nant.  Many  hidden  functions  will  have  been  identified,  and  there  may 

be  information  on  the  age-reliability  characteristics  of  many  items. 

Preparation  for  the  program  will  still  require  a review  of  the  design 
characteristics  of  the  equipment  to  define  a set  of  significant  functions 
i and  functional  failures.  The  usual  result  will  be  that  items  currently 

treated  individually  can  be  grouped  as  a system  or  subsystem  to  be 
considered  as  one  significant  item  in  the  new  program  A set  of  pro- 
posed maintenance  tasks  will  have  to  be  established  which  includes  all 
i those  existing  tasks  that  satisfy  the  applicability  criteria;  additional 

tasks  may  then  be  introduced  if  they  also  meet  these  requirements.  The 
tasks  would  then  be  analyzed  for  effectiveness  in  terms  of  failure  con- 
sequences, as  with  a prior-to-service  program. 

, The  new  RCM  program  should  be  developed  with  minimal  refer- 

* ence  to  the  existing  program,  and  the  two  programs  should  not  be  com- 
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to  avoiu  the  influence  of  past  biases  and  to  allow  for  free  exercise  of  the 
decision  structure.  When  a comparison  is  finally  made,  the  new  RCM 
program  will  generally  have  the  following  features: 

V Many  systems  and  subsystems  will  be  classified  as  significant  items. 

► There  will  be  a smaller  number  of  equipment  items  for  which 
unique  scheduled-maintenance  tasks  are  specified. 

► Most  systems  items  will  no  longer  be  subject  to  scheduled  rework. 

► Turbine  engines  and  other  complex  items  will  be  subject  to  a few 
specific  rework  or  discard  tasks,  rather  than  intensive  scheduled 
overhaul. 

► There  will  be  age-exploration  sampling  of  certain  identified  parts 
of  the  powerplant,  which  is  continued  until  the  parts  reach  very 
high  ages. 

► There  will  be  increased  use  of  on-condition  tasks. 

► There  will  be  some  new  tasks  that  are  justified  by  critical-failure 
modes,  operational  consequences,  or  hidden  functions. 

► The  intervals  of  higher-level  maintenance  packages  will  be  greatly 
increased,  whereas  intervals  of  lower-level  packages,  which  consist 
primarily  of  servicing  tasks  and  deferrable  corrective  work,  will 
remain  about  the  same. 

► The  overall  scheduled-maintenance  workload  will  be  reduced. 

if  the  existing  program  assigns  a large  number  of  items  to  sched- 
uled rework,  there  may  be  some  concern  that  eliminating  these  tasks 
will  result  in  a substantial  increase  in  the  failure  rate.  This  question  can 
be  resolved  by  conducting  actuarial  analyses  of  the  failure  data  for  these 
items  under  the  new  program,  to  confirm  that  the  change  in  mainte- 
nance policy  lias  not  adversely  affected  their  overall  reliability.  If  these 
analyses  show  that  rework  tasks  are  both  applicable  and  effective  for 
some  items,  they  can  be  reinstated. 

The  new  RCM  program  will  not  be  as  labor-intensive  as  the  pro- 
gram it  replaces,  and  this  fact  will  have  to  be  taken  into  account  in 
adjusting  staff  requirements  at  maintenance  facilities.  It  may  be  neces- 
sary to  estimate  the  volume  of  work  that  has  been  eliminated  in  each 
maintenance  package  and  make  these  adjustments  when  the  new  pro- 
gram is  first  implemented.  Otherwise  the  anticipated  reductions  in 
manhours  and  elapse^  time  for  scheduled  maintenance  will  often  not 
be  realized. 
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PART  TWO 

applications 


CHAPTER  SIX 

applying  rcm  theory  to  aircraft 


THE  REASONING  behind  RCM  programs  w.is  described  in  detail  in  Part 
One.  In  the  following  chapters  we  will  examine  specific  applications  of 
these  principles  to  actual  equipment  hardware.  Although  the  examples 
discussed  are  drawn  from  commercial  transport  aircraft,  they  provide 
practical  guidelines  that  easily  extend  to  other  operating  contexts  and 
to  the  development  of  scheduled-maintenance  programs  for  other  types 
of  complex  equipment.  The  principle  distinction  in  the  case  of  aircraft 
has  to  do  with  design  practices  that  are  common  to  the  aircraft  industry. 

In  the  case  of  commercial  aircraft  continuous  evolution  of  the  design 
requirements  promulgated  by  airworthiness  authorities  and  the  feed- 
back of  hardware  information  to  equipment  designers  by  operating 
organizations  have  led  to  increasing  capability  of  the  equipment  for 
safe  and  reliable  operation.  Thus  most  modem  aircraft  enter  service 
with  design  features  for  certain  items  that  allow  easy  identification  of 
potential  failures.  Similarly,  various  parts  of  the  airplane  are  designed 
for  easy  access  when  inspection  is  necessary  or  for  easy  removal  and 
replacement  of  vulnerable  items.  A host  of  instruments  and  other  indi- 
cators provide  for  monitoring  of  systems  operation,  and  in  nearly  all 
cases  essential  functions  are  protected  by  some  form  of  redundancy  or 
by  backup  devices  that  reduce  the  consequences  of  failure  to  a less 
serious  level. 

Complex  equipment  that  has  not  benefited  from  such  design  prac- 
tices will  have  diffe*  mt  — and  less  favorable  — reliability  characteristics, 
and  therefore  less  capability  for  reliable  operation.  Since  preventive 
maintenance  is  limited  by  the  inherent  characteristics  of  the  equip- 
ment, in  many  cases  RCM  analysis  can  do  little  more  than  recommend 
140  APPLICATIONS  the  design  changes  that  would  make  effective  maintenance  feasible. 


• -a.— V.  ■«.*  wtVLft . 


t 


The  principles  of  reliability-centered  maintenance  still  apply,  and  the 
decision  questions  are  the  same.  The  answers  to  these  questions,  how- 
ever, must  reflect  the  design  characteristics  of  the  equipment  itself  and 
hence  will  be  different  for  equipment  designed  to  other  standards. 

In  this  chapter  we  will  briefly  review  certain  aspects  of  RCM 
analysis,  examine  the  procedures  for  setting  up  a study  team  to  develop 
a prior-to-service  program,  and  consider  some  of  the  factors  involved 
in  monitoring  the  RCM  program  as  it  evolves  after  the  equipment 
enters  service. 
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The  complexity  of  modern  equipment  makes  it  impossible  to  predict 
with  any  degree  of  accuracy  when  each  part  or  each  assembly  is  likely  to 
fail.  For  this  reason  it  is  generally  more  productive  to  focus  on  those 
reliability  characteristics  that  can  be  determined  from  the  available 
information  than  to  attempt  to  estimate  failure  behavior  that  will  not 
be  known  until  the  equipment  enters  service.  In  developing  an  initial 
program,  therefore,  only  a modest  attempt  is  made  to  anticipate  the 
operating  reliability  of  every  item.  Instead,  the  governing  factor  in 
RCM  analysis  is  the  impact  of  a functional  failure  at  the  equipment 
level,  and  tasks  are  directed  at  a fairly  small  number  of  significant  items  — 
those  whose  failure  might  have  safety  or  major  economic  consequences. 
These  items,  along  with  all  hidden-function  items,  are  subjected  to 
intensive  study,  first  to  classify  them  according  to  their  failure  conse- 
quences and  then  to  determine  whether  there  is  some  form  of  mainte- 
nance protection  against  these  consequences. 


significant  items 
analysis  of  failure  consequences 
evaluation  ot  proposed  tasks 
the  default  strategy 
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The  first  step  in  this  process  is  to  organize  the  problem  by  parti- 
tioning the  equipment  into  object  categories  according  to  areas  of  engi- 
neering expertise.  Within  each  of  these  areas  the  equipment  is  further 
partitioned  in  decreasing  order  of  complexity  to  identify  significant 
items  (those  whose  failure  may  have  serious  consequences  for  the 
equipment  as  a whole),  items  with  hidden  functions  (those  whose 
failure  will  not  be  evident  and  might  therefore  go  undetected),  and  non- 
significant items  (those  whose  failure  has  no  impact  on  operating  capa- 
bility). As  this  last  group  encompasses  many  thousands  of  items  on  an 
aircraft,  this  procedure  focuses  the  problem  of  analysis  on  those  items 
whose  functions  must  be  protected  to  ensure  safe  and  reliable  operation. 

The  next  step  is  a detailed  analysis  of  the  failure  consequences  in 
each  case.  Each  function  of  the  item  under  consideration  is  examined 
to  determine  whether  its  failure  will  be  evident  to  the  operating  crew; 
if  not,  a scheduled-maintenance  task  is  required  to  find  and  correct 
hidden  failures.  Each  failure  mode  of  the  item  is  then  examined  to 
determine  whether  it  has  safety  or  other  serious  consequences.  If 
safety  is  involved,  scheduled  maintenance  is  required  to  avoid  the  risk 
of  a critical  failure.  If  there  is  no  direct  threat  to  safety,  but  a second 
failure  in  a chain  of  events  would  have  safety  consequences,  then  the 
first  failure  must  be  corrected  at  once  and  therefore  has  operational 
consequences.  In  this  case  the  consequences  are  economic,  but  they 
include  the  cost  of  lost  operating  capability  as  well  as  the  cost  of  repair. 
Thus  scheduled  maintenance  may  be  desirable  on  economic  grounds, 
provided  that  its  cost  is  less  than  the  combined  costs  of  failure.  The 
consequences  of  a nonoperational  failure  are  also  economic,  but  they 
involve  only  the  direct  cost  of  repair. 

This  classification  by  failure  consequences  also  establishes  the 
framework  for  evaluating  proposed  maintenance  tasks.  In  the  case  of 
critical  failures  — those  with  direct  safety  consequences  — a task  is  con- 
sidered effective  only  if  it  reduces  the  likelihood  of  a functional  failure 
to  an  acceptable  level  of  risk.  Although  hidden  failures,  by  definition, 
have  no  direct  impact  on  safety  or  operating  capability,  the  criterion  in 
this  case  is  also  risk;  a task  qualifies  as  effective  only  if  it  ensures  ade- 
quate protection  against  the  risk  of  a multiple  failure.  In  the  case  of  both 
operational  and  nonoperational  failures  task  effectiveness  is  measured 
in  economic  terms.  Thus  a task  may  be  applicable  if  it  reduces  the  failure 
rate  (and  hence  the  frequency  of  the  economic  consequences),  but  it 
must  also  be  cost-effective  — that  is,  the  total  cost  of  scheduled  mainte- 
nance must  be  less  than  the  cost  of  the  failures  it  prevents. 

Whereas  the  criterion  for  task  effectiveness  depends  on  the  failure 
consequences  the  task  is  intended  to  prevent,  the  applicability  of  each 
form  of  preventive  maintenance  depends  on  the  failure  characteristics 
of  the  item  itself.  For  an  on-condition  task  to  be  applicable  there  must  be 
a definable  potential-failure  condition  and  a reasonably  predictable  age 


interval  between  the  point  of  potential  failure  and  the  point  of  func- 
tional failure.  For  a scheduled  rework  task  to  be  applicable  the  reliability 
of  the  item  must  in  fact  be  related  to  operating  age;  the  age-reliability 
relationship  must  show  an  increase  in  the  conditional  probability  of 
failure  at  some  identifiable  age  (wearout)  and  most  units  of  the  item 
must  sun/ive  to  that  age.  The  applicability  of  discard  tasks  depends 
on  the  age-reliability  relationship,  except  that  for  safe-life  ,.s  the  life 
limit  is  set  at  some  traction  of  the  average  age  at  failure.  I aihre-finding 
tasks  are  applicable  to  all  hidden-function  items  not  covered  by  other 
tasks. 

EXHIBIT  6*1  Schematic  representation  of  the  RCM  decision  structure. 
The  numbers  represent  *’ie  decision  questions  stated  in  full  in  Exhibit 
4.4,  and  the  abbreviations  represent  the  task  assigned  or  other  action 
taken  as  an  outcome  of  each  decision  question. 
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The  process  of  developing  an  RCM  program  consists  of  determin- 
ing which  of  these  scheduled  tasks,  if  any,  are  both  applicable  and 
effective  for  a given  item.  The  fact  that  failure  consequences  govern  the 
entire  decision  process  makes  it  possible  to  use  a structured  decision- 
diagram  approach,  both  to  establish  maintenance  requirements  and  to 
evaluate  proposed  tasks.  The  binary  form  of  a decision  diagram-  allows 
a clear  focus  of  engineering  judgment  on  each  issue.  It  also  provides  the 
basic  structure  for  a default  strategy — the  course  of  action  to  be  taken  if 
there  is  insufficient  information  to  answer  the  question  or  if  the  study 
group  is  unable  to  reach  a consensus.  Thus  if  there  is  anv  uncertainty 
about  whether  a particular  failure  might  have  safety  consequences,  the 
default  answer  will  be  yes;  similarly,  if  there  is  no  basis  for  determining 
whether  a proposed  task  will  prove  applicable,  the  answer,  at  least  in  an 
initial  maintenance  program,  will  be  yes  for  on-condition  tasks  and  no 
for  rework  tasks. 

It  is  important  to  realize  that  the  decision  structure  itself  is  specifi- 
cally designed  for  the  need  to  make  decisions  even  with  minimal  infor- 
mation. For  example,  if  the  default  strategy  demands  redesign  and  this 
is  not  feasible  in  the  given  timetable,  then  one  alternative  is  to  seek  out 
more  information  in  order  to  resolve  the  problem.  However,  this  is  the 
exception  rather  than  the  rule.  In  most  cases  the  default  path  leads  to  no 
scheduled  maintenance,  and  the  correction,  if  any,  comes  naturally  as 
real  and  applicable  data  come  into  being  as  a result  of  actual  use  of  the 
equipment  in  service. 

The  decision  logic  also  plays  the  important  role  of  specifying  its 
own  information  requirements.  The  first  three  questions  assure  us  that 
all  failures  will  be  detected  and  that  any  failures  that  might  affect  safety 
or  operating  capability  will  receive  first  priority.  The  remaining  steps 
provide  for  the  selection  of  all  applicable  ar.d  effective  tasks,  but  only 
those  tasks  that  meet  the^e  criteria  are  included.  Again,  real  data  from 
operating  experience  will  provide  the  basis  tor  adjusting  default  deci- 
sions made  in  the  ubsence  of  information.  Thus  a prior-to-service 
program  consists  primarily  of  on-condition  and  sample  inspections, 
failure-finding  inspections  for  hidden-function  items,  and  a few  safe- 
life  discard  tasks.  As  information  is  gathered  to  evaluate  age-reliability 
relationships  and  actual  operating  costs,  rework  and  discard  tasks  are 
gradually  added  to  the  program  where  they  are  justified. 

The  net  result  of  this  careful  bounding  of  the  decision  process  is  a 
scheduled-maintenance  program  which  is  based  at  every  stage  on  the 
known  reliability  characteristics  of  the  equipment  in  the  operating  con- 
text in  which  it  is  used.  In  short,  reliability-centered  maintenance  is  a 
well-tested  answer  to  the  paradox  of  modern  aircraft  maintenance  — the 
problem  of  how  to  maintain  the  equipment  in  a safe  and  economical 
fashion  until  we  have  accumulated  enough  information  to  know  how 
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6 • 2 ORGANIZATION  OF  THE 

PROGRAM-DEVELOPMENT  TEAM 


In  the  airline  industry  the  FAA  convenes  a maintenance  review  board 
(MRB)  for  each  new  type  of  airplane.  This  board  is  responsible  for 
preparing  and  issuing  a document  that  defines  the  initial  scheduled- 
maintenance  program  for  the  new  equipment.  Although  the  initial  pro- 
gram of  each  airline  using  the  equipment  is  based  on  this  document, 
the  airlines  very  quickly  begin  to  obtain  approval  for  revisions  on  the 
basis  of  their  individual  experiences  and  operating  requirements.  Con- 
sequently the  programs  that  ultimately  come  into  effect  may  be  quite 
different  for  users  of  the  sa  ne  equipment. 

It  is  usual  practice  for  the  MRB  to  develop  this  document  as  a joint 
venture  involving  the  air  raft  and  engine  manufacturers,  the  purchasing 
airlines,  and  members  of  the  FAA.  The  industry  group  — the  manufac- 
turers and  the  airlines  — ordinarily  develop  a complete  program  and 
submit  it  to  the  MRB  as  a proposal;  the  MRB  then  incorporates  any  nec- 
essary changes  before  final  approval  and  release.  On  one  hand,  this 
procedure  cannot  be  started  until  the  design  characteristics  of  the 
equipment  are  well  established;  on  the  other  hand,  the  initial  program 
must  be  completed  and  approved  before  the  new  plane  can  enter  ser- 
vice. Thus  there  are  certain  time  constraints  involved. 

While  the  >r  .al  maintenance  program  is  being  developed,  other 
FAA  personnel,  manufacturing  and  airline  engineers,  and  pilots  of  the 
purchasing  airlines  compile  a minimum-equipment  list  (MEL)  and  a con- 
figuration-deviation i ist  (CDL).  These  two  lists  give  explicit  recognition 
to  the  fact  that  the  aircraft  can  be  operated  safely  in  a condition  that  is 
less  than  its  original  state.  In  fact,  these  lists  help  to  define  operational 
consequences,  since  they  define  the  failures  that  must  be  corrected 
before  further  operation.  The  minimum-equipment  list  specifies  the 
items  that  must  be  serviceable  at  the  time  a plane  is  dispatched  and  in 
some  cases  includes  mandatory  operating  limitations  if  certain  items 
are  inoperative.  The  configuration  deviation  list  is  concerned  primarily 
with  the  external  envelope  of  the  aircraft  and  identifies  certain  parts, 
such  as  cover  plates  and  small  pieces  of  fairing,  that  are  allowed  to  be 
missing. 

The  first  draft  of  the  RCM  program  is  generally  developed  by  an 
industry  task  force  specially  appointed  for  that  purpose.  Although  there 
are  no  hard-and-fast  rules  about  organization,  the  approach  on  air- 
line programs  has  been  a steering  committee  supported  by  a number 
of  working  groups.  The  steering  committee  consists  of  about  ten  manu- 
facturer and  airline  representatives  and  is  responsible  for  managing  all 
aspects  of  the  program  development;  this  committee  also  serves  as  the 
interface  with  the  manufacti  er  and  the  various  regulatory  agencies. 


regulatory  authorities 
the  role  of  the  steering 
committee 

the  role  of  the  working  groups 
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The  first  chore  of  the  steering  committee  is  to  appoint  working  groups 
of  eight  to  ten  members  to  conduct  the  detailed  study  of  the  aircraft 
structure,  powerplant,  and  systems.  Seven  such  working  groups  were 
employed,  for  example,  to  develop  the  maintenance  program  for  the 
Douglas  DC-10.  The  steering  committee  sets  the  ground  rules  for  each 
working  group  and  selects  a group  chairman.  Ordinarily  a steering- 
committee  member  also  sits  in  on  each  working-group  meeting  to 
audit  progress  and  resolve  problems.* 

One  other  responsibility  of  the  steering  committee  is  to  arrange 
for  training.  All  members  of  the  task  force  are  given  a one-week  course 
to  familiarize  them  with  the  features  of  the  new  equipment.  Members 
of  the  working  groups,  however,  require  additional  training  in  RCM 
analysis  (usually  by  the  steering  committee)  and  much  more  detailed 
training  on  the  particular  aspect  of  the  equipment  they  are  to  analyze. 
The  training  in  RCM  procedures  assures  that  all  participants  have  a 
uniform  understanding  of  the  basic  task  criteria  and  the  definitions  of 
such  key  terms  as  significant  item,  function,  functional  failure,  failure 
mode,  failure  consequences,  and  cost  effectiveness.  Working-group  mem- 
bers must  also  be  familiar  with  the  decision  logic  used  to  sort  and  select 
tasks  and  with  the  default  strategy  to  be  employed  when  there  is  no 
information  or  the  group  is  unable  to  reach  a consensus. 

The  members  of  the  task  force  should  represent  the  best  engineer- 
ing and  maintenance  talent  available.  Ideally,  the  steering-committee 
should  be  headed  by  someone  who  has  had  previous  experience  with 
similar  efforts  and  is  completely  familiar  with  RCM  techniques  (or 
employs  someone  who  is  familiar  with  them).  All  members  of  that 
committee  should  be  generalists,  rather  than  specialists.  Their  duties 
require  experience  in  management  and  analysis,  whereas  the  working- 
group  members  need  actual  hardware  experience.  Thus  the  steering 
committee  is  often  composed  of  reliability,  engineering,  and  quality- 
assurance  managers,  whereas  the  working  groups  consist  of  working 
engineers. 

The  working  groups  are  responsible  for  identifying  and  listing  the 
significant  and  hidden-function  items  and  evaluating  the  proposed 
scheduled  tasks.  Usually  they  will  be  able  to  start  with  preliminary 
worksheets  prepared  by  the  manufacturers.  These  worksheets  are 
studied  in  detail,  and  in  some  cases  the  working  group  may  examine 
an  aircraft  that  is  being  assembled  to  confirm  certain  points.  Each  group 
recommends  additions  and/or  deletions  of  significant  items,  essential 
functions,  failure  modes,  and  anticipated  failure  consequences  and 
selects  appropriate  scheduled  tasks  and  task  intervals  for  the  portion  of 

‘The  role  of  the  auditor  in  a program-development  project  is  discussed  in  detail  in  Appen- 
dix A.  This  discussion  also  covers  some  of  the  common  problems  that  arise  during  analysis 
and  provides  a useful  review  for  those  who  may  be  woi  ing  with  RCM  Procedures  for  the 
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the  equipment  on  which  it  is  working.  The  results  are  then  summarized 
in  a way  that  allows  the  steering  committee  to  evaluate  the  analysis  and 
incorporate  the  scheduled  tasks  in  the  program. 


6 • 3 BEGINNING  THE  DECISION  PROCESS 


A new  aircraft  is  never  totally  new.  Rather,  it  is  the  product  of  an  era, 
although  its  design  usually  includes  some  recent  technological  develop- 
ments to  improve  performance  capabilities  and  reduce  maintenance 
costs.  The  program-development  team  thus  begins  with  a large  body  of 
knowledge  gained  from  experience  with  other  aircraft.  In  addition  to 
this  general  context  of  expertise,  there  are  specific  test  data  on  the  vital 
portions  of  the  aircraft.  These  are  the  manufacturer's  tests,  conducted 
during  design  and  development  of  the  equipment  to  establish  the  in- 
tegrity of  the  structure,  the  reliability  and  performance  characteristics 
of  fhe  powerplant,  and  other  factors  necessary  to  ensure  that  the  various 
systems  and  components  will  in  fact  perform  as  intended.  Finally,  the 
new  equipment  will  come  to  the  RCM  team  with  a list  of  manufacturer's 
recommendations  for  scheduled  lubrication  and  servicing,  and  often 
more  extensive  maintenance  suggestions  as  well. 

In  evaluating  and  selecting  the  scheduled-maintenance  tasks  for 
this  new  equipment,  the  analysis  team  will  therefore  have  a fairly  good 
idea  from  the  outset  of  which  functions,  failures,  and  tasks  are  going  to 
demand  consideration.  The  first  step  in  the  procedure  is  to  partition 
the  aircraft  into  its  major  divisions  so  that  these  can  be  assigned  to  the 
various  working  groups.  Usually  one  working  group  is  established  to 
study  the  structure,  another  to  study  the  powerplant,  and  several  more 
to  study  the  various  systems. 

The  systems  division  includes  the  various  sets  of  items  other  than 
the  engine  which  perform  specific  functions  — the  environmental- 
control  system,  the  communications  system,  the  hydraulic  system.  It 
also  includes  the  items  that  connect  the  assemblies;  for  example,  the 
hydraulic  system  includes  the  lines  that  conrect  the  actuators  to  the 
pump.  The  powerplant  includes  only  the  basic  engine.  It  does  not  in- 
clude the  ignition  system  or  engine-driven  accessories,  such  as  the  fuel 
control  and  the  constant-speed  drive,  all  of  which  are  part  of  systems. 
Nor  does  it  include  the  engine  cowling  and  supports,  which  are  part  of 
the  structure.  Structure  includes  all  of  the  airframe  structure,  as  well  as 
the  movable  flight-control  surfaces,  hinges,  hinge  bearings,  and  ianding 
gear.  However,  the  actuators,  cables,  gearboxes,  and  hydraulic  compo- 
nents associated  with  these  items  are  treated  as  part  of  the  systems 
division. 

Each  working  group  partitions  the  portion  of  the  equipment  for 
which  it  is  responsible  in  descending  levels  of  complexity  to  identify 


the  partitioning  process 
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nonsignificant  items  on  the  one  hand  and  significant  and  hidden- 
function  items  on  the  other.  To  help  organize  this  process  the  items  are 
usually  characterized  in  some  kind  of  order.  For  example,  the  engine  is 
ordinarily  partitioned  according  to  the  order  in  which  it  is  assembled  — 
by  module,  stage,  and  part— whereas  the  structure  is  partitioned  accord- 
ing to  geographic  zones.  Exhibit  6.2  shows  some  typical  items  included 
under  each  of  the  major  divisions,  as  well  as  typical  items  covered 


EXHIBIT  6*2  Typical  hardware  items  in  each  of  the  three  major 
divisions  of  an  aircraft.  The  level  of  item  selected  as  significant  in 
each  case  wili  depend  on  the  consequences  of  a functional  failure  for 
the  aircraft  as  a whole.  These  items  will  be  subjected  to  intensive 
RCM  analysis  to  determine  how  they  might  benefit  from  scheduled 
maintenance.  The  resulting  program  of  RCM  tasks  is  supplemented 
by  a separate  program  of  zonal  inspections,  which  consists  of  scheduled 
general  inspections  of  all  the  items  and  installations  within  the 
specified  zone. 


systems  powerplant  structure  zonal  installations 


Flight-control  system 
Actuators 
Gearboxes 
Cables 
Linkages 
Control  valves 
Electric-power  system 
Generators 
Relays 

Constant-speed  drives 
Bus-control  unit 
Air-conditioning  system 
Packs 
Valves 
Sensors 

Ignition  system 
Igniter 

Power  supply 


Compressor  Section 
Stators 
Spacers 
Tie  rods 
Blades 
Air  seal 

Compressor  hubs 
Disks 

Combustion  section 
Scavenge  pumps 
Exit  guide  vanes 
Diffuser  case 
Inner  case 
Bearing  assembly 
Bearing  carbon  seal 
Stator  support 
Combustion  chambers 
Rear  support 
Outlet  ducts 
Nozzle  guide  vanes 


Wing  and  empennage 
Stringers 
Span 
Skins 

Control  surfaces 
Slats  and  flaps 
Hinges 
Landing  gear 
Shock  struts 
Pistons 

Fuselage 
Cir.ni  inferential* 
Longerons 
Skins 
Bulkheads 


Wing  zones 
Hydraulic  lines 
Fuel  lines 
Wiring 
Ducting 


Wheelwell 
Switches 
Hydraulic  lines 
Wiring 

Fuselage  zones 
Oxygen  cylinders 
Assembly  housings 
Water  lines 
Wiring 
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by  zonal-installation  inspections.  Although  these  general  inspections 
are  not  established  on  the  basis  of  RCM  analysis,  the  tasks  themselves, 
along  with  the  necessary  servicing  and  lubrication  tasks,  are  included 
in  the  final  list  of  scheduled  tasks  for  packaging  in  the  maintenance 
program. 

This  first  sorting  process  to  identify  significant  items  is  largely  a 
matter  of  experience  and  judgment^.So.Tie  items  will  be  classified  as 
significant  because  they  have  always  been  significant  in  the  past;  others 
may  be  included  because  there  is  some  uncertainty  about  their  impact 
on  the  system  as  a whole.  In  selecting  the  appropriate  level  of  item  for 
intensive  study,  two  types  of  error  are  possible:  partitioning  too  far 
down  and  unnecessarily  increasing  the  workload,  or  else  not  partition- 
ing down  far  enough  and  thus  overlooking  some  failure  mode  that  may 
later  prove  significant.  The  first  inclination  is  to  minimize  this  latter 
possibility  in  the  interests  of  safety.  However,  with  limited  time  and 
resources  it  is  equally  important  to  pick  some  cutoff  point  that  will  not 
dilute  the  effort  needed  for  truly  significant  items.  The  optimum  cutoff 
point  for  each  item  thus  lies  in  a fairly  narrow  range. 

The  partitioning  process  organizes  the  problem,  but  it  is  also  nec- 
essary to  organize  the  information  required  to  solve  it.  In  addition  to 
the  manufacturer's  designation  of  the  item,  a brief  description  is  needed 
that  indicates  the  basic  function  of  the  item  and  its  location  in  the 
equipment.  It  is  also  necessary  to  make  a complete  and  accurate  list  of 
all  the  other  intended  or  characteristic  functions  of  the  item  in  order  to 
define  the  functional  failures  to  which  it  is  subject.  A functional  failure 
is  any  condition  that  prevents  the  item  from  meeting  its  specified  per- 
formance requirements;  hence  the  evidence  by  which  this  condition 
can  be  recognized  must  be  specified  as  well.  A functional  failure  may 
have  several  failure  modes,  and  the  most  likely  ones  must  be  identified. 
For  example,  the  list  of  functional  failures  for  the  mom  oil  pump  on  a 
jet  engine  might  include  high  pressure,  low  pressure,  no  pressure,  con- 
taminated oil,  and  leaks.  However,  the  condition  of  no  pressure  may 
be  caused  by  drive-gear  failure,  shaft  failure,  or  a broken  oil  line. 

To  evaluate  the  consequences  of  each  type  of  failure  it  is  necessary 
to  identify  both  the  effects  of  a loss  of  function  and  the  effects  of  any 
secondary  damage  resulting  from  a particular  failure  mode,  cor  example, 
the  loss  of  function  for  a generator  might  be  described  as  no  output;  if 
the  cause  is  bearing  failure,  however,  the  probable  secondary  damage 
is  complete  destruction  of  the  generator,  which  is  very  expensive.  An- 
other important  factor  in  evaluating  failure  consequences  is  the  design 
of  the  equipment  itself.  All  redundancies,  protective  devices,  and  moni- 
toring equipment  must  be  listed,  since  these  have  a direct  bearing  on 
the  seriousness  of  any  single  failure.  If  an  essential  function  is  available 
from  more  than  one  source,  then  a failure  that  might  otherwise  have  a 


direct  effect  on  safety  or  operating  capability  may  have  no  significant 
consequences.  Similarly,  failure  annunciators  and  other  instrumenta- 
tion mean  that  failures  that  would  otherwise  be  hidden  are  in  fact  evi- 
dent to  the  operating  crew. 

All  these  data  elements  are  assembled  for  each  item  before  the 
analysis  begins.  To  keep  track  of  the  necessary  information  it  is  helpful 
to  summarize  the  data  for  each  item  on  a descriptive  worksheet  like 
that  shown  in  Exhibit  6.3,  The  analysis  itself  consists  of  a systematic 
examination  of  each  failure  possioility  and  an  evaluation  of  proposed 
maintenance  tasks.  Tasks  are  proposed  by  both  the  manufacturing 


EXHIBIT  6*3  Item  information  worksheet.  The  data  elements  that 
pertain  to  each  item  are  assembled  and  recorded  on  a descriptive 
worksheet  before  the  analysis  is  begun.  For  convenience  in 
documenting  the  decision  process,  it  is  helpful  to  use  reference 
numbers  and  letters  for  the  various  functions,  functional  failures,  and 
failure  modes  of  each  item. 


SYSTEM  INFORMATION  WORKSHEET  type  of  aircraft 


Item  number 
Item  name 

vendor  part/model  no. 


item  description 


reliability  data 

premature-removal  rate  (per  1,000  unit  hours) 
failure  rate  (per  1,000  unit  hours) 
source  of  data 

functions  functional  failures 
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members  of  the  program-development  team  and  by  the  members  of  vhe 
operating  organization.  The  manufacturer  has  more  specific  knowledge 
of  the  equipment,  its  intended  design  features,  and  the  development 
and  testing  procedures  that  were  employed.  The  operating  organization 
has  the  more  intimate  knowledge  of  how  the  equipment  will  be  used, 
what  sorts  of  maintenance  tasks  are  feasible,  and  which  ones  have 
proved  most  effective  in  the  recent  past. 

To  ensure  that  the  entire  decision  process  is  documented,  the  an- 
swer to  each  question  in  the  decision  diagram  must  be  recorded.  One 
convenient  form  is  shown  in  Exhibit  6.4;  the  numbers  across  the  top 


no.  per  aircraft 


prepared  by 
reviewed  by 
approved  by 


redundancies  and  protective  features  (include  instrumentation) 


built-in  test  equipment  (describe) 

Can  aircraft  be  dispatched  with  item 
inoperative?  If  so,  list  any  limitations 
which  must  be  observed. 


failure  modes 


classification  of  item  (check) 
significant 


hidden  function 


nonsignificant 


failure  effects 
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item  nutie 


response*  to  deciiion-dUgram  question* 
ref.  consequent**  task  selection 

F FF  FM  1 2 3 4 5 6 7 8 9 10  11  12  13  1«  15  16 
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EXHIBIT  6*4  Decision  worksheet  for  systems  and  powerpiant  items. 
For  each  function  (F),  functional  failure  (FF),  and  failure  mode  (FM), 
the  answer:  to  the  questions  in  the  decision  diagram  are  recorded 
to  show  the  reasoning  leading  io  the  selection  of  a particular  task.  In 
the  case  of  structural  items  the  principal  decision  problem  concerns 
the  seiectii  n of  task  intervals;  lienee  the  worksheet  form  used  for 
structures  is  somewhat  different. 


t 


represent  the  decision  questions,  and  the  trail  of  answers  shows  the 
logic  by  which  a particular  decision  was  reached.  Depending  on  the 
nature  of  the  item,  its  failure  characteristics,  and  the  failure  conse- 
quences that  govern  the  evaluation,  the  outcome  may  be  one  or  more 
scheduled  tasks,  redesign,  or  no  scheduled  maintenance.  In  each  case, 
however,  the  reason  for  the  decision  will  be  clearly  identifiable,  both  for 
auditing  during  analysis  and  for  later  review. 

The  study  up  to  this  point  represents  a substantial  effort.  The  analy- 
sis for  the  Douglas  DC-10,  which  was  based  on  similar  principles,  led 
to  a set  of  reports  approximately  10  inches  high  and  represented  about 
10  man  years  of  effort  over  an  18-month  period.  Nevertheless,  given  the 
complexity  of  modem  aircraft,  this  effort  is  still  modest  in  comparison 
to  what  might  be  envisioned  if  the  several  bounds  on  the  process  were 
relaxed.  These  bounds  are  established  by  the  decision  questions  them- 
selves, by  the  default  strategy  that  provides  for  decision  making  with 
minimal  information,  and  also  by  the  auditing  process  that  goes  on 
both  during  analysis  and  afterward. 
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pag*  of 
Item  number 


proposed  task 


initial  interval 


6*4  THE  INFORMATION  FLOW  IN 
DECISION  MAKING 


The  flow  of  information  in  RCM  decision  making  is  a circular  process 
that  begins  with  the  initial  selection  of  items  for  intensive  analysis  and 
continues  throughout  the  life  of  the  equipment.  The  very  selection  of 
significant  items  requires  not  only  substantial  factual  data,  but  consid- 
erable experience  and  judgment  as  inputs  to  a prior-to-service  analysis. 
The  outputs  are  a list  of  all  the  applicable  and  effective  tasks  to  be  in- 
cluded in  the  scheduled-maintenance  program.  These  tasks  are  then 
assigned  intervals  and  packaged  for  implementation,  and  from  this 
point  on  the  information  from  actual  operating  experience  becomes  the 
input  data. 

In  most  cases  the  transition  from  prior-to-service  study  to  actual 
maintenance  on  in-service  equipment  takes  place  gradually.  The  first 
few  planes  delivered  and  put  into  service  are  inspected  at  relatively  fre- 
quent intervals.  This  "excessive"  maintenance  is  not  expensive,  since 
only  a few  planes  are  involved,  and  it  serves  both  to  work  out  the  short- 
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EXHIBIT  6-5  The  process  of  information  flow  and  decision  making 
in  the  development  and  evolution  of  an  RCM  program. 


comings  in  the  maintenance  program  and  to  provide  training  oppor- 
tunities for  the  personnel  who  will  eventually  handle  the  entire  fleet. 

During  early  operation  the  condition  and  performance  of  the  air- 
craft are  continually  monitored  through  what  the  FAA  terms  an  analysis 
and  surveillance  program.  The  maintenance  department  is  prepared  for 
unanticipated  kinds  of  failures  and  is  ready  to  react  immediately  to  any 
critical  events.  Other  failure  experiences  are  reported  systematically, 
and  this  information  is  used  to  review  and  revise  the  scheduled  tasks 
and  to  provide  the  cost  data  necessary  to  initiate  product  improvement. 
The  maintenance  crew  wi'l  also  be  able  to  confirm  the  reliability  of 
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many  items;  that  is,  they  will  see  a great  deal  of  nonfailure,  which  is  also 
reflected  in  the  program  as  it  evolves.  For  example,  the  inspection  inter- 
vals for  items  that  are  performing  satisfactorily  will  be  extended,  thus 

(reducing  the  workload  per  plane  at  about  the  same  rate  that  new  planes 
are  entering  service. 

By  the  time  the  fleet  has  reached  full  size  — about  five  years  after 
the  first  planes  enter  service  — the  thrust  of  maintenance  analysis  turns 
] to  a more  careful  study  of  the  items  that  may  eventually  show  wearout 

* characteristics  and  would  therefore  benefit  from  periodic  rework  or 

I ! discard.  As  the  potential-failure  ages  of  longer-lived  items  are  identified,  SECTION  6 ‘4  155 


some  of  these  items  may  also  be  modified  through  redesign  to  increase 
their  longevity,  and  there  will  be  corresponding  changes  in  their  main- 
tenance requirements,  necessitating  a further  round  of  analysis  and  age 
exploration  to  determine  their  new  reliability  characteristics.  Periodi- 
cally the  entire  maintenance  program  is  subjected  to  "purging,"  both  to 
eliminate  tasks  that  have  crept  in  to  take  care  of  problems  that  have  since 
been  resolved  and  to  omit  borderline  tasks  that  have  not  proved  to  be 
worthwhile. 

As  a result  of  continuous  maintenance  and  product  improvement, 
the  aircraft  also  evolves  throughout  its  operating  life.  Most  commercial 
aircraft  remain  in  operation  for  at  least  twenty  years.  At  the  end  of  this 
time,  although  the  overall  structure  of  any  giver  plane  will  be  essen- 
tially the  structure  it  started  with,  the  rest  of  the  aircraft  will  have  been 
substantially  replaced  or  modified,  and  most  of  the  replaceable  parts 
will  have  been  changed  many  times.  Thus  the  aircraft  is  not  in  fact 
twenty  years  old;  only  the  basic  structure  is.  This  constant  cycle  of  pre- 
ventive and  corrective  maintenance  ensures  that  an  aircraft  does  not 
wear  out  with  age.  Instead,  it  remains  in  service  until  newer  designs 
render  it  technologically  obsolete. 

To  realize  the  inherent  reliability  of  any  aircraft  it  is  necessary  to 
keep  track  of  its  state,  both  individually  and  collectively,  from  the  time 
the  equipment  enters  service  until  the  time  it  is  finally  retired.  The 
information  about  failed  items,  potential  failures,  and  the  correspond- 
ing replacement  of  parts  or  components  in  each  a,;craft  must  be 
recorded  and  assembled  in  a form  that  allows  for  analysis  of  the  per- 
formance of  the  aircraft  as  a whole,  as  well  as  the  performance  of  indi- 
vidual items.  At  the  earliest  stages  these  information  requirements  con- 
cern only  individual  failures  and  failure  modes.  Soon  after,  it  becomes 
necessary  10  keep  track  of  the  accumulated  operating  time  of  the  fleet 
in  order  to  establish  failure  rates,  and  when  they  are  sufficiently  low, 
reduce  inspection  frequencies.  It  is  sometimes  helpful  during  the 
middle  years  of  operation  to  make  extensive  studies  of  individual  item 
histories  (including  actuarial  analyses). 

Given  the  hundreds  of  thousands  of  parts  on  a modern  aircraft, 
these  information  requirements  call  tor  careful  judgment.  The  notion 
that  someone  must  be  able  to  determine  at  any  point  how  long  the  light 
bulb  over  seat  3F  has  been  in  operation  would  lead  to  staggering  infor- 
mation costs.  Just  as  it  is  crucial  at  the  beginning  to  size  the  problem  of 
analysis,  so  it  is  crucial  to  size  the  reporting  system  so  that  the  informa- 
tion necessary  to  manage  the  ongoing  maintenance  program  is  not 
buried  by  an  information  overload.  The  various  types  of  reporting 
systems  and  the  specific  kinds  of  information  they  provide  are  dis- 
cussed in  Chapter  11. 

Whatever  the  equipment,  as  the  maintenance  program  evolves 
each  iteration  of  the  decision  process  must  be  documented  and  audited 
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by  independent  observers  if  the  results  are  to  be  relied  upon.  This  docu- 
mentation is  just  as  important  for  subsequent  modifications  of  the  ini- 
tial program  as  it  was  in  developing  the  initial  program.  The  structure 
of  the  decision  logic  provides  such  documentation,  since  the  list  of 
yes/no  answers  to  specific  questions  leaves  a clear  audit  trail  that  can 
be  checked  both  during  and  after  the  decision  process.  This  audit  trail, 
together  with  the  information  on  which  the  initial  decisions  were  made 
and  modified  during  subsequent  operation  of  the  equipment,  provides 
the  starting  point  for  the  next  round  of  design  evolution.  Given  the 
transitory  nature  of  the  workforce  in  both  government  and  commercial 
situations  and  the  relatively  long  service  life  of  complex  equipment,  this 
maintenance-system  “memory"  is  a necessary  factor  in  long-term  tech- 
nological improvement. 
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ran  analysis  of  systems 


THE  SYSTEMS  division  includes  all  the  systems  required  for  operating  the 
airplane  except  the  powerplant  itself.  Most  systems  are  composed  of 
numerous  separate  assemblies,  or  components,  linked  by  electrical  or 
hydraulic  lines  or  other  connecting  devices.  Even  in  a new  type  of  air- 
craft few  of  the  systems  components  will  be  entirely  new;  most  will 
have  been  used  in  pievious  designs.  As  a result,  the  reliability  charac- 
teristics of  many  systems  items  are  fairly  well  known  and  data  are  often 
available  on  tJ'.e  applicability  and  effectiveness  of  specific  maintenance 
tasks.  Maintenance  experience  has  also  shown  that  certain  classes  of 
items,  such  as  electronic  components,  have  the  generic  characteristic  of 
being  unable  to  benefit  from  scheduled  maintenance. 

A great  many  systems  items  do  not  require  scheduled  maintenance. 
While  a number  of  systems  do  have  hidden  functions  that  must  be  pro- 
tected by  scheduled  tasks,  most  aircraft  systems  have  been  designed  to 
preclude  critical  failures  and  many  have  been  designed  to  ensure  that 
the  aircraft  will  remain  fully  operational  after  the  occurrence  of  a fail- 
ure. An  item  whose  failure  is  evident  to  the  operating  crew  and  has  no 
safety  or  operational  consequences  would  be  classified  as  nonsignifi- 
cant and  assigned  in  an  initial  program  to  no  scheduled  maintenance. 
The  system  itself  would  be  designated  as  significant,  since  its  overall 
function  is  essential  to  the  aircraft.  In  many  cases,  however,  the  units 
that  actually  perform  this  function  are  nonsignificant  items,  since  a 
failure  of  any  one  of  them  has  no  consequences  other  than  the  cost 
of  repair. 

In  general,  the  outcome  of  RCM  analysis  depends  more  on  the 
design  characteristics  of  the  system  than  on  the  nature  of  the  item. 
Nevertheless,  certain  results  are  typical  for  various  classes  of  items. 
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will  often  receive  on-condition  tasks,  and  on  rare  occasions  a rework 
task,  although  frequently  the  assignment  is  to  no  scheduled  mainte- 
nance. Hydraulic  items  are  generally  assigned  on-condition  tasks  in 
which  a gross-flow  check  of  the  entire  system  is  followed  by  isolation 
checks  to  pinpoint  the  source  of  internal  leaks.  Electrical  and  electronic 
items,  unless  they  have  hidden  functions  that  require  failure-finding 
tasks,  will  nearly  always  be  assigned  to  no  scheduled  maintenance. 


7 • I CHARACTERISTICS  OF  SYSTEMS  ITEMS 

Each  type  of  system  has  a unique  function  in  an  aircraft  — flight  control,  design  characteristics 
environmental  control,  fuel  supply,  high-frequency  communication,  maintenance  characteristics 
and  so  on.  Nevertheless,  systems  as  a group  have  certain  common  char- 
acteristics that  affect  their  maintenance  requirements.  Most  systems 
are  equipped  with  instrumentation  which  allows  the  operating  crew 
to  monitor  the  performance  both  of  the  system  as  a whole  and  of  many 
of  its  individual  components.  Thus  as  a general  rule  functional  failures 
are  evident  to  the  crew  Also,  such  failures  seldom  affect  operating 
safety.  As  a result  of  careful  design,  even  unanticipated  failure  modes 
are  unlikely  to  have  safety  consequences.  The  chief  reason  for  this  is 
the  high  degree  of  redundancy  employed  in  systems  design.  All  essen- 
tial functions  are  available  to  the  aircraft  from  more  than  one  source,  so 
that  the  system  is  fail-safe. 

It  is  usual,  in  fact,  for  system'  to  include  enough  redundancy  to 
permit  completion  of  a day's  flying  after  a failure  has  occurred.  Under 
these  circumstances  the  airplane  can  be  dispatched  with  one  unit  inop- 
erative, and  unless  a second  unit  fails  there  is  no  need  to  interrupt  sched-  SECTION  7*1  159 
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EXHIBIT  7- 1 The  most  common  outcomes  of  RCM  analysis  in  the 
systems  division.  Few  systems  failures  fall  in  the  safety  branch; 
several,  however,  may  fall  in  the  hidden-function  branch.  The 
principal  objective  of  analysis  is  to  ensure  that  these  exceptions  are 
accurately  identified. 

uled  operations  for  corrective  maintenance.  Thus,  despite  the  frequency 
of  systems  failures,  the  majority  of  these  failures  have  no  operational 
consequences.  Correction  of  the  failure  is  simply  deferred  to  a conve- 
nient time  and  location,  in  addition  to  the  protection  afforded  by  redun- 
dancy, some  of  the  more  exotic  devices,  such  as  the  autoland  system, 
employ  a newer  technique  called  fail-operational.  In  this  case  not  only 
the  aircraft,  but  the  system  itself  remains  fully  operational  after  the 


Even  though  systems  in  commercial  aircraft  are  designed  to  reduce 
failure  consequences  to  the  nonoperational  level,  once  the  equipment 
enters  service  the  performance  of  all  items,  including  those  assigned 
to  no  scheduled  maintenance,  is  carefully  monitored  during  the  early 
stages  of  operation.  To  meet  the  space  and  weight  requirements  of  high- 
performance  aircraft,  systems  components  are  generally  designed  with 
a low  initial  margin  of  failure  resistance;  hence  their  overall  reliability 
tends  to  be  low.  To  offset  this  problem  components  are  usually  designed 
for  easy  replacement  in  the  field.  Even  so,  the  poor  reliability  of  certain 
items  may  result  in  unacceptable  repair  or  support  costs,  and  the  need 
to  improve  systems  items  by  redesign  is  quite  common  in  new  aircraft. 

Another  characteristic  of  systems  is  that  the  assemblies  that  com- 
prise them  are  themselves  multicelled  and  subject  to  numerous  failure 
modes— that  is,  they  are  complex  items.  Since  the  overall  reliability  of  a 
complex  item  generally  shows  little  or  no  relationship  to  operating  age, 
scheduled  rework  is  rarely  applicable  to  systems  components  (see  Sec- 
tion 3.2)  Rework  or  discard  tasks  may  be  applicable,  however,  to 
relatively  simple  parts  such  as  connecting  lines  or  to  items  subject  to 
mechanical  wear  or  metal  fatigue.  Some  assemblies  may  also  include 
safe-life  parts,  such  as  the  actuator  endcaps  in  certain  flight-control  sys- 
tems, for  which  redundancy  is  not  feasible. 

In  terms  of  RCM  analysis,  then,  systems  items  are  characterized  by 
evident  failures  which  fall  primarily  in  the  economic  branches  of  the 
decision  diagram,  where  scheduled  maintenance  is  desirable  only  if  it 
is  cost-effective  (see  Exhibit  7.1).  For  this  reason,  and  because  most 
failures  are  unrelated  to  operating  age,  the  most  frequent  outcome  of 
analysis  is  either  an  on-condition  task  or  no  scheduled  maintenance. 

However,  the  exceptions  to  this  general  pattern  may  fall  in  any  branch 
and  lead  to  almost  any  of  the  possible  outcomes.  The  principal  focus  in 
developing  a prior-to-service  program  for  systems  is  on  proper  identi- 
fication of  these  exceptions. 

7 • 2 ASSEMBLING  THE  REQUIRED  INFORMATION 

The  analysis  of  a system,  subsystem,  or  assembly  requires  a knowledge  initial  information  requirements 
both  of  the  system  itself  and  of  the  relationship  of  the  system  to  the  air-  lh«  information  worksheet 
craft  as  a whole.  To  evaluate  the  consequences  of  a functional  failure 
it  is  necessary  to  visualize  the  various  failure  possibilities  in  terms  of 
the  basic  function  of  the  entire  system,  rather  than  from  the  standpoint 
of  its  component  units.  For  this  reason  particular  attention  must  be  paid 
to  redundancies  and  other  fail-safe  features,  since  the  amount  of  repli- 
cation of  a given  function  will  determine  the  seriousness  of  the  failure 
consequences.  A failure  in  a nonredundant  system  might  represent  a 
critical  loss  of  function  for  the  aircraft,  whereas  the  same  failure  in  a 
highly  redundant  system  may  not  even  affect  operational  capability. 
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EXHIBIT  7a2  The  data  elements  needed  for  analysis  of  systems  items. 


IDENTIFICATION  Of  ITEM 

Type  of  aircraft  Quantity  per  aircraft 

System  designation  Location(s) 

Item  name 

Manufacturer's  part  number 
ITEM  INFORMATION 

Item  description  (general  function  and  major  assemblies) 

Redundancies  and  protective  features  (including  instrumentation) 
Built-in  test  equipment 

AVAILABLE  RELIABILITY  DATA 
Anticipated  premature-removal  rate 

Anticipated  verified  failure  rate 

Source  of  data  (test  data  or  operating  experience) 

OPERATING  RESTRICTIONS 

Can  aircraft  be  dispatched  with  item  inoperative?  (from  MEL) 

If  so,  do  any  limiting  conditions  apply? 

RCM  INPUT 
Item  functions 

Functional  failures  (as  defined  for  each  function) 

Most  probable  failure  modes 

Predictable  failure  effects  (for  each  failure  mode) 

Evidence  of  functional  failure 

Effects  of  loss  of  function  on  operating  capability 

Effects  of  failure  beyond  loss  of  function  (including  ultimate 
effects  of  possible  secondary  damcge) 

Nature  of  failure  consequences 

Evidence  of  reduced  failure  resistance  that  can  be  used  to  define 
potential-failure  conditions 

Experience  with  other  equipment  on  which  the  same  or  similar 
item  has  been  used 
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Another  design  feature  that  affects  the  evaluation  of  failure  con- 
sequences is  the  instrumentation  or  built-in  test  equipment  for  the 
system.  This  instrumentation  is  a major  factor  in  determining  whether 
functional  failures  will  be  evident  or  hidden  from  the  operating  crew. 
It  is  also  necessary  to  know  enough  about  the  duties  of  the  operating 
crew  to  judge  whether  functional  failure  will  be  evident  during  routine 
activities,  either  through  use  of  the  function  or  as  a result  of  standard 
crew  checks  of  certain  hidden-function  items. 

In  the  airline  industry  the  minimum-equipment  list  and  the 
configuration-deviation  list,  issued  by  the  I AA,  specify  whether  or  not 
an  aircraft  can  be  dispatched  with  a given  item  inoperative.  These  lists 
help  to  determine  whether  a failure  has  operational  consequences. 
They  are  not  the  sole  determinant;  a failure  that  can  be  corrected  quickly 
may  cause  no  delay  in  flight  schedules,  and  highly  unreliable  items 
may  involve  occasional  operational  consequences  as  the  result  of  a mul- 
tiple failure.  However,  any  regulations  that  define  acceptable  flight  con- 
figuration are  an  important  part  of  the  initial  information  requirements. 

Exhibit  7.2  lists  the  data  elements  that  must  be  collected  and  orga- 
nized for  each  item  to  be  studied.  In  the  case  of  new  aircraft  much  of 
this  information  is  supplied  by  the  manufacturer  in  the  various  mainte- 
nance manuals  and  stores  catalogs  furnished  with  the  equipment.  For 
the  wide-body  Douglas  DC-10,  for  example,  the  working  groups  were 
provided  with  worksheets,  instruction  manuals,  and  schematic  dia- 
grams showing  nearly  all  the  data  available.  Usually  200  to  300  of  the 
most  important  systems,  subsystems,  and  assemblies  will  be  classified 
either  as  functionally  significant  items  or  as  items  with  hidden  func- 
tions. If  there  is  any  doubt  about  whether  an  item  is  significant  or  has 
a hidden  function,  it  is  always  classified  on  this  basis  initially  and 
included  in  the  list  of  items  to  receive  further  study. 

Once  the  data  elements  for  each  item  have  been  assembled,  they 
are  summarized  on  descriptive  worksheets  for  convenient  reference 
during  analysis  Note  in  Exhibit  7.3  that  the  item  description  indicates 
the  general  function  of  the  item,  the  level  of  item  being  considered,  and 
the  major  assemblies  and  components  it  includes.  The  failure  of  any  one 
of  these  components  would  represent  a failure  mode  for  the  item  itself. 
In  listing  the  functions  of  the  item  it  is  important  to  describe  both  its 
basic  function  and  each  of  its  secondary  functions  clearly  and  accurately, 
since  each  of  these  functions  must  be  analyzed  separately.  The  func- 
tional failures  should  be  worded  to  define  the  condition  that  consti- 
tutes a failure.  Generally  this  is  the  condition  or  state  that  exists  after 
a failure  has  occurred. 

Failure  effects  refers  to  all  the  immediate  results  of  the  failure.  For 
example,  one  effect  of  a locked  wheel  in  a brake  assembly  is  a tire  blow- 
out, with  possible  secondary  damage  to  the  airplane  structure;  another 


EXHIBIT  7-3  An  information  worksheet  for  the  air-conditioning  pack 
in  the  Douglas  DC-10. 


SYSTEM  INFORMATION  WORKSHEET  type  of  aircraft  Douglas  DC-10-10 


item  number 

item  name  Air-conditioning  pack 
vendor  part/model  no.  Airesearch  9273 7C-4 


item  description 

Pack  delivers  temperature-controlled  air  to  conditioned- 
air  distribution  ducts  of  airplane.  Major  assemblies  a Ye 
heat  exchanger,  air-cycle  machine,  anti-ice  valve,  water 
separator,  and  bulkhead  check  valve. 


reliability  data 

premaiure-iemoval  rate  (per  1,000  unit  hours) 
failure  rate  (per  1,000  unit  hours) 
source  of  data 


functions 

t 

1 To  supply  air  to  conditioned- 
air  distribution  ducts  at  the 
temperature  called  for  by  pack 
temperature  controller 


functional  failures 

A Conditioned  air  is  not 
supplied  at  called-for 
temperature 


■l 


"i 

j 

! 

i 


J 


>4 


2 To  prevent  loss  of  cabin  A No  protection  again' . i 

pressure  by  backflow  if  duct  oackflow  .; 

fails  in  unpressurized  nose-  I 

wheel  compartment  I 
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P«ge 

of 

no.  per  aircraft  3 

prepared  by 

F.  S.  Nowlan 

date 

3/6/78 

system  Air  conditioning 

reviewed  by 

J.  E.  Kuhi 

date 

3/6/78 

zone(s)  110 

approved  by 

date 

lundancies  and  protective  features  (include  instrumentation) 

The  three  packs  are  completely  independent.  Each  pack  has  a check  valve 
to  prevent  loss  of  cabin  pressure  in  case  of  duct  failure  in  unpressurized 
nese-wheel  compartment.  Flow  to  each  pack  is  modulated  by  a flow-control 
valve  which  provides  automatic  overtemperature  protection  backed  by  an 
overtemperature  tripoff.  Full  cockpit  instrumentation  for  each  pack  includes 
indicators  for  pack  flow,  turbine  inlet  temperature,  pack-temperature  valve 
position,  and  pack  discharge  temperature. 

built-in  test  equipment  (describe)  None 


Can  aircraft  be  dispatched  with  item 
inoperative?  If  so,  list  any  limitations 
which  must  be  observed. 

Yes.  No  operating  restrictions  with  one 
pack  inoperative 


classification  of  item  (check) 
significant 

X hidden  function 
* nonsignificant 


failure  modes 


failure  effects 


1 Air-cycle  machine  seized 

2 Blocked  ram-air  passages  in  heat 
exchanger 

3 Failure  of  anti-ice  valve 

4 Failure  of  water  separator 


Reduced  pack  flow,  anomalous  readings  cn  pack-flow 
indicator  and  other  instruments 

High  turbine-inlet  temperature  and  partial  closure  of 
flow-control  valve  by  overtemperalure  protection,  with 
resulting  reduction  in  pack  air  flow 

If  valve  failr,  in  open  position,  increase  in  pack  discharge 
temperature;  if  valve  fails  in  closed  position,  reduced  pack 
air  flow 

Condensation  (water  drops,  fog,  or  ice  crystals)  in  cabin 


1 Failure  of  ’ ulkhead  check  valve  None  (hidden  function);  if  duct  or  connectors  fail  in  pack 

bay,  loss  of  cabin  pressure  by  backflow,  and  airplane  must 
descend  to  lower  altitude 


effect  is  noise  and  vibration,  which  will  be  apparent  to  the  operating 
crew.  The  description  of  failure  effects  should  always  include  any  phys- 
ical evidence  by  which  the  occurrence  of  a failure  can  be  recognized. 
Very  often  this  evidence  is  an  instrument  indication  or  a warning  light 
that  informs  the  pilot  of  a malfunction.  In  some  cases  the  failure  effects 
also  include  specific  operating  restrictions,  such  as  the  need  to  descend 
to  a lower  altitude.  The  failure  effects  must  be  described  for  each  type 
of  functional  failure,  since  they  help  *o  determine  the  consequences  of 
that  failure  for  the  equipment  and  its  occupants. 

All  this  information  is  examined,  and  the  item  is  given  a conserva- 
tive initial  classification  of  significant  or  nonsignificant  on  the  basis 
of  its  failure  consequences.  Items  in  either  category  may  have  hidden 
functions;  these  must  be  identified  whether  the  item  is  significant  or 
not.  Thus  some  items  may  have  two  classifications.  An  item  classified 
as  significant  during  the  initial  partitioning  process  may  later  be  as- 
signed to  no  scheduled  maintenance,  either  because  its  failure  conse- 
quences do  not  in  fact  qualify  it  as  significant  or  because  no  maintenance 
task  can  be  found  that  will  improve  its  reliability.  At  this  stage,  how- 
ever, any  borderline  items  would  be  included  for  analysis. 


7 • 3 ANALYSIS  OF  TYPICAL  SYSTEMS  ITEMS 


DC-10  air-conditioning  pack 
nonredundant  fuel  pump 
DC-10  brake  assembly 
Boeing  74?  high-frequency 
communications  subsystem 

other  typical  systems  items 


ANALYSIS  OF  AN  AIR-CONDITIONING  PACK 

The  air-conditioning  pack  described  in  Exhibit  7.3  is  the  cooling  por- 
tion of  the  Douglas  DC-10  air-conditioning  system.  This  subsystem  was 
classified  as  significant  during  the  first  review  of  the  DC-10  systems 
because  of  its  size,  complexity,  a d cost.  There  are  three  independent 
installations  of  this  item,  located  in  the  unpressurized  nose-wheel  side 
compartment  of  the  airplane  (see  Exhibit  7.4).  Hot  high-pressure  air, 
which  has  been  bled  from  the  compressor  section  of  the  engine,  enters 
the  pack  through  a flow-control  valve  and  is  cooled  and  dehumidified 
by  a heat  exchanger  and  the  turbine  of  an  air-cycle  refrigeration  ma- 
chine. The  cooled  air  is  then  directed  through  a distribution  duct  to  a 
manifold  in  the  pressurized  area  of  the  airplane,  where  it  is  mixed  with 
hot  trim  air  and  distributed  to  the  various  compartments.  The  per- 
formance of  each  pack  is  controlled  by  a pack  temperature  controller. 
Each  pack  is  also  monitored  by  cockpit  instrumentation  and  can  be  con- 
trolled manually  if  there  is  trouble  with  the  automatic  control  system. 

The  pack  itself  consists  of  the  heat  exchanger,  the  air-cycle  machine 
(which  has  air  bearings),  an  anti-ice  valve,  a water  separator,  and  a 
check  valve  at  the  pressure  bulkhead  to  prevent  backflow  and  cabin 
depressurization  if  there  is  a duct  failure  in  the  unpressurized  area. 
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Two  functions  have  been  listed  for  the  air-conditioning  pack.  Its 
basic  function  is  to  supply  air  to  the  distribution  duct  at  the  tempera- 
ture called  for  by  the  pack  controller.  This  function  is  considered  first: 


1  Is  the  occurrence  of  a failure  evident  to  the  operating  crew  during 
performance  of  normal  duties? 


Any  one  of  the  failure  modes  listed  will  result  in  changes  in  the  pack's 
performance,  and  these  anomalies  will  be  reflected  by  the  cockpit  instru  - 
ments. Hence  the  functional  failure  in  this  case  can  be  classified  as 
evident. 

The  loss  of  function  in  itself  does  not  affect  operating  safety;  how- 
ever, each  of  the  failure  modes  must  be  examined  for  possible  secondary 
damage: 


2  Does  the  failure  cause  a loss  of  function  or  secondary  damage  that 
could  have  a direct  adverse  effect  on  operating  safety? 


Engineering  study  of  the  design  of  this  item  shows  that  none  of  the 
failure  modes  causes  any  damage  to  surrounding  items,  so  the  answer 
to  this  question  is  no. 

The  next  question  concerns  operational  consequences: 


3  Does  the  failure  have  a direct  adverse  effect  on  operational 
capability? 


Because  the  packs  are  fully  replicated,  the  aircraft  can  be  dispatched 
with  no  operating  restrictions  when  any  one  pack  is  inoperative.  There- 
fore there  is  no  immediate  need  for  corrective  maintenance.  In  fact,  the 
aircraft  can  be  dispatched  even  if  two  units  are  inoperative,  although 
in  this  event  operation  would  be  restricted  to  altitudes  of  less  than 
25,000  feet. 

On  this  basis  we  would  reclassify  the  air-conditioning  pack  as  a 
functionally  nonsignificant  item.  Failure  of  any  one  of  the  three  packs 
to  perform  its  basic  function  will  be  evident,  and  therefore  reported  and 
corrected.  A single  failure  has  no  effect  on  safety  or  operational  capa- 
bility, and  since  replacement  of  the  failed  unit  can  be  deferred,  there 
are  no  economic  consequences  other  than  the  direct  cost  of  corrective 
maintenance.  Under  these  circumstances  scheduled  maintenance  is 
unlikely  to  be  cost-effective,  and  the  costs  cannot  be  assessed  in  any 
event  until  after  the  equipment  enters  service.  Thus  in  developing  a 
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prior-to-service  program  there  is  no  need  to  make  an  intensive  search 
for  scheduled  tasks  that  might  prevent  this  type  of  failute. 

When  we  examine  the  second  function  of  the  air-conditioning 
pack,  however,  we  find  an  element  that  does  require  scheduled  mainte- 
nance, The  bulkhead  check  valve,  which  prevents  backflow  in  case  of 
a duct  failure,  is  of  lightweight  construction  and  flutters  back  and  forth 
during  normal  operation.  Eventually  mechanical  wear  will  cause  the 
flapper  to  disengage  from  its  hinge  mount,  and  if  the  duct  in  lhe  unpres- 
surized nose-wheel  compartment  should  rupture,  the  valve  will  not  seal 
the  entrance  to  the  pressurized  cabin. 

To  analyze  this  second  type  of  failure  we  start  again  with  the  first 
question  in  the  decision  diagram: 


1 Is  the  occurrence  of  a failure  evident  to  the  operating  crew  during 
performance  of  normal  duties? 


The  crew  will  have  no  way  of  knowing  whether  the  check  valve  has 
failed  unless  there  is  also  a duct  failure.  Thus  the  valve  has  a hidden 
function,  and  scheduled  maintenance  is  required  to  avoid  the  risk  of 
a multiple  failure-- failure  of  the  check  valve,  followed  at  some  later 
time  by  failure  of  the  duct.  Although  the  first  failure  would  have  no 
operational  consequences,  this  multiple  failure  would  necessitate  des- 
cent to  a lower  altitude,  and  the  airplane  could  not  be  dispatched  after 
boding  until  repairs  were  made. 

With  a no  answer  to  question  1 proposed  tasks  for  the  check  valve 
fall  in  the  hidden-function  branch  of  the  decision  diagram: 


14  Is  an  on-condition  task  to  detect  potential  failures  both  applicable 
and  effective: 


Engineering  advice  is  that  the  duct  can  be  disconnected  and  the  valve 
checked  for  signs  of  wear.  Hence  an  on-condition  task  is  applicable.  To 
be  effective  the  inspections  must  be  scheduled  at  short  enough  intervals 
to  ensure  adequate  availability  of  the  hidden  function.  On  the  basis  of 
experience  with  other  fleets,  an  initial  interval  of  10,000  hours  is  speci- 
fied, and  the  analysis  of  this  function  is  complete. 

In  this  case  inspecting  the  valve  for  wear  costs  no  more  than 
inspecting  for  failed  valves  and  is  preferable  because  of  the  economic 
consequences  of  a possible  multiple  failure.  If  a multiple  failure  had  no 
operational  consequences,  scheduled  inspections  would  still  be  neces- 
sary' to  protect  the  hidden  function:  however,  they  would  probably  have 

been  scheduled  at  longer  intervals  as  a failure-finding  task.  SICTlON  7-3  169 
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EXHIBIT  7 -5  A worksheet  showing  the  results  of  RCM  analysis  of  the 
air-conditioning  pack  in  the  Douglas  DC-10.  The  references  in  the 
first  column  are  to  the  functions,  'unctional  failures,  and  failure 
modes  listed  in  Exhibit  7.3. 


Exhibit  7.5  shows  the  results  of  the  preceding  analysis,  including 
the  response  to  each  question  in  the  decision  diagram.  Note  that  the 
basis  for  each  answer  to  the  first  three  quesfionj  is  directly  traceable 
to  the  information  recorded  on  the  descriptive  worksheet  in  Exhibit  7.3. 

ANALYSIS  OF  A NONREDUNDANT  FUEL  PUMP 

The  fuel-  pump  assembly  described  in  Exhibit  7.6  was  classified  as  a 
significant  item  because  the  aircraft  in  which  it  is  ins', .’.lied  is  a single- 
engine attack  plane.  This  means  that  a complete  loss  of  function  will 
bring  the  airplane  out  of  the  sky.  As  indicated  on  the  worksheet,  the 
fuel  pump  is  subject  to  four  types  of  functional  failures.  The  first  of  these 
is  loss  of  fuel  flow  (and  pressure),  and  the  associated  failure  mode  is 
stripped  splines  on  the  main  drive  shaft. 


1 Is  the  occurrence  of  r failure  evident  to  the  operating  crew  during 
performance  of  normal  duties? 
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pt|t  of 

Hmitumbt' 


pnptttil  by  F.  S.  MwHw  r«vi*w*d  by  J.  E.  Kohl 


prapoMd  task 


Initial  interval 


Non*.  This  functional  failure  has 
no  significant  comaananctaj 
(adattify  aa  nonsignificant. 


Disconnect  duct  to  manifold  and  Not  to  exceed  10,000  hours 
examine  check  valve  for  wear 


Lc"  s of  fuel  flow  results  in  fuel  starvation  of  the  engine  and  an  imme- 
diate and  complete  loss  of  thrust  (flameout).  The  pilot  will  sense  this 
loss  of  thrust  by  a reduction  in  engine  noise  and  deceleration  of  the 
aircraft,  but  it  will  also  be  evidenced  by  many  instruments  — tfte  fuel- 
pressure  indicator,  the  fuel-flow  indicator,  the  engine  tachometer,  the 
airspeed  indicator,  and  the  altimeter.  The  answer  to  question  1 is  there- 
fore yes. 

‘unce  the  failure  is  evident,  the  next  concern  is  with  its  direct 
consequences: 


2 Does  the  failure  cause  a loss  of  function  or  secondary  damage  that 
could  have  a direc*  adverse  effect  on  operating  safety? 


In  the  event  of  a flameout,  the  pilot  must  either  eject  or  make  the  best 
power-off  landing  he  can,  regardless  of  the  landing  conditions.  In  this 
case  the  loss  of  function  itself  has  safety  consequences,  so  it  is  unnece  - 
s.iry  to  consider  whether  either  of  the  failure  modes  causes  hazardous 
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EXHIBIT  7 ’6  An  information  worksheet  for  the  fuel  pump  in  the 
Douglas  A-4,  a single-engine  attack  airplane. 


SYSTEM  INFORMATION  WORKSHEET  type  of  aircraft  Douglas  A-4 


item  number 

item  name  Fuel  pump 

vendor  part/model  no. 


item  description 

Multistage  engine  fuel  pump  driven  through  splined 
shaft  by  engine-accessory  gearbox.  Delivers  high- 
pressure  fuel  to  fuel  control  and  provides  fuel- 
control  governor  with  engine-speed  information. 
Includes  a fuel  filter  and  filter  bypass. 


reliability  data 

premature-removal  rate  (per  1,000  unit  houis) 
failure  rate  (per  1,000  unit  hours) 
source  of  data 


functions 

1 To  pump  fuel  to  engine 
through  fuel-control  unit 

2 To  contain  fuel,  without 
external  leakage 

3 To  filter  fuel 


functional  failures 
A No  fuel  flow  (and  pressure) 

A External  fuel  leaks 

A Unable  to  filter  fuel 


4  To  provide  engine-speed  A Loss  of  engine-speed  signal 

signal  to  fuel  control 
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page 


of 


no.  per 

aircraft  1 

prepared  by  F.  S.  Nowlan 

date 

3/6/78 

system 

Fuel  supply 

reviewed  by  T.  M.  Edwards 

date 

3/6/78 

zone(s! 

approved  by 

date 

redundancies  and  protective  features  (include  instrumentation) 

Fuel  flow  and  fuel  pressure  are  instrumented.  Warning  light  indicates 
when  fuel  filter  is  bypassed,  manual  fuel-hf  * control  can  be  used  to 
clear  filter  of  ice  particles.  Fuel-control  unit  includes  fuel  bypass 
with  a constant-flow  restrictor  that  automatically  provides  sufficient 
fuel  for  80  percent  N,  engine  speed  if  speed  signal  is  It 


built-in  test  equipment  (describe)  None 


C.in  aircraft  be  dispatched  with  item 
inoperative?  If  so,  list  any  limitations 
which  must  be  observed. 

No 


classification  of  item  (check) 
X significant 

hidden  function 
nonsignificant 


failure  modes 


1 Stripped  splines  on  main  drive 
shaft 


failure  effects 

Instruments  show  no  fuel  flow  and  pressure;  engine 
flameout,  requiring  forced  no-power  landing 


1 Wont  or  damaged  main-shaft  Small  loss  of  fuel  through  overboard  drains 

seals 


1 Filter  clogged  by  ice  or 
debris  from  wear 


1 Stripped  splines  on  fuel-control- 
govemor  drive  shaft 


Warning  light  shows  filter  bypass,  possible  delivery  of 
contaminated  fuel  to  fuel  control  and  engine,  if  fuel  heater 
does  not  correct  for  ice  particles  (warning  light  goes  out), 
airplane  must  land  at  nearest  airport 

Fuel  control  automatically  provides  fuel  for  80  percent  Nt 
engine  speed,  no  engine  control  except  manual  shutdown; 
landing  haza  dous 


Impeller 


Fuel  inlet 


Fuel  heater 


Filter  bypass  \alve 


Fuel  filter 


Fuel-control-govemor 
drive  shaft  Discharge  (to 

03  t fuel  control) 


Impeller  drive  gears 


Discharge  pressure 
relief  valve 


Drive-shaft  seals 


Fuel-pump  main 
drive  shaft 


EXHIBIT  7-7  Schematic  diagram  of  the  fuel-pump  assembly  in  the 
Douglas  A-4.  The  fuel-pump  main  drive  shaft  is  powered  by 
the  airplane  engine. 


secondary  damage.  The  yes  answer  to  this  question  brings  us  to  the 
safety  branch  of  the  decision  diagram,  where  all  applicable  scheduled- 
maintenance  tasks  are  required  but  are  considered  effective  only  if  they 
reduce  the  risk  of  this  failure  to  ar.  acceptable  level. 

We  must  now  evaluate  possible  preventive  tasks  directed  at  the 
failure  mode,  stripped  drive-shaft  splines: 


4 Is  an  on-condition  task  to  detect  potential  failures  both  applicable 
and  effective? 


Periodic  inspection  of  the  drive  shaft  for  spline  wear  will  result  in  the 
removal  of  units  from  service  ai  the  potential-failure  stage;  hence  an 
on-condition  task  is  applicable.  If  this  task  reduced  the  risk  of  a func- 
tional failure  to  an  acceptable  level,  it  would  also  be  considered  effec- 
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tive,  and  the  answer  to  the  question  would  be  yes.  In  an  initial  program, 
however,  the  chief  source  of  information  concerning  the  effectiveness 
of  an  on-condition  task  is  prior  experience  with  a similar  item.  In  this 
case  such  information  is  not  available,  and  even  though  we  know  the 
task  will  be  applicable,  we  have  no  means  of  determining  that  it  will  pro- 
vide the  degree  of  protection  required.  Under  these  circumstances  we 
would  be  reluctant  to  consider  this  task  as  meeting  the  effectiveness 
criterion,  and  the  answer  to  the  on-condition  question  must  therefore 
be  no. 

Since  an  effective  on-condition  task  has  not  been  identified,  we 
must  investigate  other  types  of  tasks: 


5 Is  a rework  task  to  reduce  the  failure  rate  both  applicable  and 
effective? 


The  fuel  pump  is  a complex  item,  so  we  would  not  expect  scheduled 
rework  to  make  a difference  in  its  overall  reliability.  Such  a task  might 
be  applicable,  however,  for  a specific  failure  mode  involving  a simple 
part,  such  as  stripped  drive-shaft  splines.  In  this  case  scheduled  rework 
would  probably  entail  removing  the  pump  from  the  aircraft  and  send- 
ing it  to  the  maintenance  base  for  machine  work  to  restore  the  splines 
to  “like-new"  condition.  If  analysis  of  the  other  failure  possibilities 
identified  additional  parts  that  could  benefit  from  rework,  there  might 
be  quite  extensive  rework  activity  while  the  pump  was  at  the  base. 

Scheduled  rework  might  lead  to  an  appreciable  reduction  in  fuel- 
pump  failures  if  the  failure  modes  for  which  rework  tasks  were  appli- 
cable represented  a large  proportion  of  the  failure  possibilities  for  this 
item.  However,  this  is  an  unusual  situation  for  a complex  item  More- 
over, the  information  necessary  to  assess  the  value  of  a rework  task  is 
not  available  at  the  time  an  initial  program  is  developed.  At  this  stage, 
therefore,  we  cannot  conclude  that  scheduled  rework  would  provide 
any  guarantee  of  operating  safety  and  would  have  to  answer  this  ques- 
tion no. 

A no  answer  to  the  rework  question  means  that  we  must  move  on 
to  the  question  of  a discard  task: 


6 !s  a discard  task  to  avoid  failures  or  reduce  the  failure  rate  both 
applicable  and  effective? 


During  the  development  of  an  initial  program  the  answer  to  this  ques- 
tion must  be  no  unless  the  pump  manufacturer  has  specified  a safe-life 
limit  for  the  drive  shaft. 


Since  no  single  task  has  been  identified  thus  far  which  will  pro- 
tect against  loss  of  the  basic  fuel-pump  function,  there  is  one  further 
recourse: 


7 Is  a combination  of  preventive  tasks  both  applicable  and  effective? 


The  answer  must  again  be  no,  since  the  only  task  that  might  possibly 
be  of  benefit  is  an  on-condition  inspection  of  the  drive  shaft.  The  out- 
come of  the  analysis,  therefore,  is  that  scheduled  maintenance  cannot 
prevent  pump  failures,  and  to  avoid  critical  failures  the  design  must 


EXHIBIT  7 ‘8  A worksheet  showing  the  results  of  RCM  analysis  of 
the  fuel  pump  in  the  Douglas  A-4.  The  references  in  the  first  column 
are  to  the  functions,  functional  failures,  and  failure  modes  listed  in 
Exhibit  7.6. 


SYSTEM  DECISION  WORKSHEET  type  of  aircraft  Douglai  A-4 


item  name  Fuel  pump 


responses  to  decision-diagram  questions 
ref.  consequences  task  selection 

F FF  FM  1 2 3 4 5 6 7 8 9 10  It  12  13  14  15  16 


1  A 1 YY-NNNN 


If  airplane  must  enter  service  Ik  .fere  design  is 
modified,  the  following  responses  would  be  appro- 
priate, although  there  is  no  assurance  that  scheduled 
tasks  will  meet  effectiveness  criterion. 


1 A 1 Y Y - Y 

2 A 1 N — — — — — ——  — — — — — NNN 

3 A 1 Y N Y — — — — Y 

4 A 1 YY-NNNN 
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be  changed  — in  this  case  to  provide  redundant  pumping  capabilities 
in  the  fuel-supply  system. 

What  can  be  done  if  the  aircraft  must  enter  service  before  the  de- 
sign can  be  modified?  An  on-condition  inspection  of  the  drive  shaft 
for  spline  wear  can  , <e  assigned  because  such  a task  is  usually  effective 
for  a single  mechanical  part.  We  do  not  know  whether  it  will  prove 
effective  in  this  case.  A rework  task  would  probably  not  be  scheduled  to 
remachine  the  splines,  instead  the  shaft  would  be  replaced  if  the  splines 
were  in  bad  condition.  All  such  tasks,  however,  would  entail  scheduled 
removals,  because  the  fuel  pump  must  be  disassembled  to  gain  access 
to  the  shaft.  The  initial  intervals  would  be  very  conservative,  and  we 


prepared  by  F.  S.  N owl  an 


page  of 
Item  number 


reviewed  by  T.  M.  Edwards 


proposed  task 


initial  interval 


{None.  Redesign  is  necessary  to 
provide  sufficient  redundancy  for 
operating  safety. 


Inspect  main  fuel-pump  drive 
shaft  for  spline  wear 

Inspect  for  external  leaks 
(failure  finding) 

Inspect  filter  for  contamination 

Outcome  as  for  failure  of 
main  drive  shaft,  1 A 1 


Not  to  exceed  1,000  hours 

During  walkaround  checks 
and  overnight  stops 

Not  to  exceed  60  hours 


would  still  have  to  recognize  that  operating  experience  may  show  that 
these  measures  are  not  reducing  the  hazard  to  an  acceptable  level. 

In  addition  to  loss  of  fuel  flow  as  a result  of  mechanical  failure,  the 
pump  is  also  subject  to  external  leaks.  While  a leak  serious  enough  to 
affect  fuel  pressure  would  be  evident  to  the  operating  crew,  the  fact  that 
a leak  has  formed  will  not  be  evident  from  the  cockpit  instrumentation. 
The  answer  to  the  first  decision  question  is  therefore  no,  which  takes  us 
to  tne  hidden-function  branch  of  the  diagram.  Ac  indicated  by  the 
answers  recorded  in  Exhibit  7.8,  there  are  no  applicable  and  effective 
on-condition,  rework,  or  discard  tasks  in  this  case.  Therefore  we  arrive 
at  the  default  alternative  and  must  schedule  a failure-finding  task  — an 
inspection  during  walkaround  checks  and  overnight  stops  for  any  leaks 
that  exceed  a specified  value. 

The  third  type  of  funeb  >nal  failure  results  from  clogging  of  the  fuel 
filter.  A warning  light  informs  the  pilot  when  this  condition  exists,  so 
the  failure  is  classified  as  evident.  It  does  not  present  any  safety  prob- 
lems, but  it  does  have  operational  consequences,  since  a single-engine 
plane  must  land  at  the  nearest  airport  and  cannot  be  dispatched  until 
this  condition  has  been  corrected.  An  on-condition  inspection  of  the 
fuel  filter  for  contamination  is  applicable.  In  this  case  the  failure  con- 
sequences are  economic;  hence  the  criterion  of  task  effectiveness  is 
cost.  The  cost  of  performing  this  task  is  so  low  that  it  would  be  judged 
as  cost-effective  in  an  initial  program.  As  a result  of  experience  with 
other  fuel  pumps,  an  initial  interval  of  60  hours  is  set  for  this  check. 

The  fourth  type  of  failure  is  inability  to  provide  engine-speed  in- 
formation to  the  fuel-control  assembly,  caused  by  failure  of  the  governor 
drive  shaft  (see  Exhibit  7.7).  Since  the  analysis  of  this  failure  is  similar 
to  that  for  failure  of  the  main  drive  shaft,  the  details  are  not  repeated  in 
Exhibit  7.8.  If  tasks  were  scheduled,  they  would  be  performed  at  the 
same  time  as  those  for  the  main  drive  shaft. 

ANALYSIS  OF  A LANDING-GEAR  BRAKE  ASSEMBLY 

The  brake  assembly  for  the  main  landing  gear  of  the  Douglas  DC-10  is 
classified  as  significant  because  the  primary  function  of  the  braking 
system  is  to  provide  stopping  capability  after  landing  or  during  other 
ground  operation.  Since  a complete  loss  of  this  function  would  clearly 
have  safety  consequences,  it  is  necessary  to  consider  how  the  brake 
assembly  contributes  to  the  overall  system  function.  The  full  braking 
capacity  is  rarely  used,  and  its  effect  is  masked  by  concurrent  use  of 
reverse  thrust  from  the  engine.  As  a result,  the  pilot  is  not  likely  to 
notice  the  reduction  in  stopping  capability  caused  by  a failure  in  one 
brake  assembly  of  a multiwheeled  landing  gear.  This  item  therefore  has 
hidden  functions  as  well.  Had  there  been  a difference  of  opinion  about 
the  crew's  ability  to  detect  this  condition,  the  default  strategy  would 
also  have  required  that  these  functions  be  classified  as  hidden. 


EXHIBIT  /-I0  An  information  worksheet  for  the  nuin-l.iiuting-ge.ir 
brake  .issemhl)  of  the  nmifj,,s  IK'-IO. 


'TTi"r  ' 


SYSTEM  INFORMATION  WORKSHEET  type  of  aircraft  Douglas  DC-10-10 


item  number 

item  name  Brake  assembly,  main  landing  gear 
vendor  part/model  no.  Coodyear  500709 


item  description 

Multiple-plate  disk  brakr  (seven  rotors  and  six  stators} 
powered  by  eight  hydra  jlic-drivtn  pistons.  Pressure 
line  to  this  assembly  is  included  for  purpose*  of 
analysis 


reliability  data 

premature-removal  rate  (per  1,000  unit  hours)  1 per  l^MO  landings 
failure  rate  (per  1,000  unit  hours) 
source  of  data  Similar  equipment 

functions  functional  failures 

1 To  provide  stopping  A No  braking  action 

capability  on  command  during 

ground  operation 

n Reduced  braking  action 

2 To  release  brakes  A Dragging  brake 


3  To  contain  hydraulic  fluid  A External  hydraulic  leaks 


180  applications 


P*K* 


of 


no.  per  aircraft  8 

prepared  by 

F.  S.  Nowlan 

date 

3/6/78 

system  Landing  gear 

reviewed  by 

T.  M.  Edwards 

date 

3/6/78 

rone(s)  733,  743 

appruved  by 

cU  e 

redundancies  and  protective  features  (Include  instrumentation) 

One  brake  assembly  in  each  wheel  (tour)  of  each  main-landing-gear 
truck.  Separate  hydraulic  systems  power  half  the  pistons  in  each  brake; 
loss  of  brake  fluid  due  to  failed  pressure  line  to  wheel  prevented  by 
fluid  quantity  limiters  in  each  hydraulic  system.  Engine  thrust  reverser 
provides  another  source  of  stopping  capability.  Whc dwell  is  designed 
to  pievent  critical  secondary  damage  by  debris  from  tire  failure. 


built-in  test  equipment  (describe)  Visual  wear  indicators 


Can  aircraft  be  dispatched  with  item 
inoperative?  If  so,  list  any  limitations 
which  must  be  observed. 

Yes.  If  one  brake  assembly  inoperative, 
gross  takeoff  ar-d  landing  weights  must  be 
reduced. 


classification  of  item  (check) 
X significant 

X hidden  function 
nonsignificant 


failure  modes 

1 Brake  wear  to  point  of  seizure 

1 Broken  pressure  line 

1 Malfunction  of  aduster  assembly 


railure  effects 

Wheel  skid,  causing  tire  blowout;  audible  noise  and 
vibration,  possible  extensive  secondary  damage  to  systems 
within  wheelwell;  requires  correction  before  dispatch 

No  braking  action  from  half  the  actuating  pistons  In  one 
assembly,  reusing  reduced  braking  capability  and  slightly 
increased  mirimtim  stopping  distance 

Increased  wear  of  pad  and  disk;  overheating  of  brake  and 
tire  may  cause  tire  fuse  plugs  to  blow,  with  landing  on  flat 
tire  and  secondaiy  damage  from  the  failure;  requires  cor- 
rection before  dispatch 


1 


Damaged  or  distorted  piston  seals 


Slow  loss  of  hydraulic  fluid  from  one  system 


A review  oi  the  design  characteristics  of  the  DC-10  shows  that  each 
truck  on  the  main  landing  gear  has  four  wheels,  and  each  wheel  has  a 
multiple-disk  brake  assembly  consisting  of  seven  rotors  and  six  stators 
(see  Exhibit  7.9).  The  brakes  are  powered  by  eight  pistons,  four  of 
which  are  driven  by  one  hydraulic  system  and  four  by  another.  With- 
out this  extensive  replication,  especially  of  the  wheels  on  each  truck, 
reduced  stopping  capability  in  one  brake  assembly  might  be  a critical 
failure.  In  this  case  the  failure  results  only  in  slightly  increased  stopping 
distances.  One  of  the  failure  effects,  however,  is  a possible  tire  blowout, 
with  secondary  damage  caused  by  rubber  thrown  from  the  damaged 
tire  Brake  assemblies  can  be  replaced  in  the  field,  but  the  time  required 
will  cause  delays.  The  aircraft  can  also  be  dispatched  with  one  assembly 
inoperative,  but  only  at  a great  penalty  in  operating  weight.  Thus  any 
observed  failure  of  a brake  assembly  has  operational  consequences. 

Note  that  in  this  case  the  primary  function  of  the  brake  assembly 
is  subject  to  two  failure  possibilities  no  braking  action  and  reduced 
braking  action.  Each  of  these  functional  failures  must  be  considered 
separately.  The  first  type  of  failure  is  no  braking  action,  caused  by 
brake  v/ear: 


1 Is  the  occurrence  of  a failure  evident  to  the  operating  crew  during 
performance  of  normal  duties? 


If  the  brake  pads  are  allowed  to  wear  beyond  a certain  point,  they  come 
loose  from  the  rotor  and  jam  between  the  rotors  and  stators,  causing  the 
brake  to  seize.  The  wheel  will  therefore  not  rotate  on  landing,  and  the 
tire  will  skid  and  blow  out,  throwing  pieces  around  the  wheelwell.  The 
resulting  noise  and  vibration  would  be  evident  to  the  flight  crew;  thus 
the  answer  to  this  question  is  yes. 

With  a yes  answer  to  question  1 wc  must  now  consider  the  possible 
consequences  of  this  failure: 


2 Docs  the  failure  cause  a loss  of  function  or  secondary  damage  that 
could  have  a direct  adverse  effect  on  operating  safety? 


The  loss  of  braking  function  for  one  of  the  eight  wheels  is  not  in  itself 
critical,  so  the  answer  to  the  first  part  of  this  question  is  no.  The  answer 
to  ac  second  part  is  also  no,  because  this  failure  has  been  taken  into 
account  in  the  design  of  the  wheelwell,  so  that  secondary  damage  from 
occasional  tire  failures  will  not  be  critical. 

Although  a scheduled  task  is  not  required  for  safety  reasons,  the 
secondary  damage  does  he.ve  serious  operational  consequences: 
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3 Does  the  failure  have  a direct  adverse  effect  on  operational 
capability? 


In  addition  to  the  time  required  to  exchange  the  brake  assembly,  this 
particular  type  of  failure  can  result  in  extensive  damage  to  hydraulic 
lines,  flight-control  surfaces,  and  other  fail-safe  systems.  Thus  the  sec- 
ondary damage  alone  may  prevent  the  airplane  from  being  dispatched. 
Such  a failure  therefore  has  serious  economic  consequences,  and  we 
must  consider  the  possible  preventive  tasks. 

The  first  choice  is  an  on-condition  task  directed  at  detecting  brake 
wear: 


8 Is  an  on-condition  task  to  detect  potential  failures  both  applicable 
and  effective? 


This  brake  assembly  is  equipped  with  wear  indicators  that  show  when 
the  pad  and  disk  stack  have  reached  a wear  level  that  calls  for  replace- 
ment. Since  the  wear  indicators  make  it  possible  to  define  a potential- 
failure  condition,  an  on-condition  task  is  applicable;  it  will  also  be 
effective  as  long  as  the  inspection  interval  is  short  enough  to  ensure 
sufficient  remaining  pad  to  keep  the  brake  from  locking. 

In  an  initial  program  inspection  of  the  wear  indicators  might  he 
assigned  for  every  overnight  layover  at  a maintenance  station,  since  this 
would  be  a convenient  time  to  change  brake  assemblies  if  a potential 
failure  is  found.  The  brake  assembly  will  ordinarily  be  removed  if  the 
wear  indicator  shows  that  fewer  than  20  more  landings  are  possible. 
The  wear  indicators  will  also  be  checked  at  ever)'  preflight  walkaround, 
but  the  wear  criterion  will  be  less  stringent.  The  objective  is  for  the 
overnight  mechanics  to  be  the  first  to  identify  the  need  for  a brake 
change,  to  reduce  the  number  of  delays  incurred  by  the  discovery  of 
potential  failures  in  the  field. 

The  second  type  of  functional  failure,  reduced  braking  action,  is 
caused  by  a broken  pressure  line — the  line  from  the  fluid  quantity  lim- 
iter to  the  brake  assembly  itself.  (These  lines  are  treated  as  part  of  the 
brake  assembly  because  the  limiters  and  lines  are  independent  for  each 
system  to  each  wheel.)  Analysis  of  this  failure  possibility  takes  us 
again  to  the  first  question  in  the  decision  diagram: 


1 Is  the  occurrence  of  a failure  evident  to  the  operating  crew  during 
performance  of  normal  duties? 
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A broken  pressure  line  will  result  in  a loss  of  function  for  only  half  the 
actuating  pistons  in  the  affected  assembly,  as  the  limiter  stops  the  flow 
of  hydraulic  fluid  when  the  line  breaks.  Thus  the  other  four  pistons  in 
the  assembly  will  still  provide  normal  braking  action.  There  is  sufficient 
braking  margin  that  the  slight  reduction  in  braking  capability  would  not 
come  to  the  attention  of  the  operating  crew  — that  is  the  failure  would 
not  be  evident. 

A no  answer  to  the  first  question  means  that  a scheduled  task  is 
required  to  ensure  that  the  failure  will  be  found  and  corrected,  and 
further  analysis  falls  in  the  hidden-function  branch  of  the  decision  dia- 
gram. In  this  case  either  one  of  the  directly  preventive  tasks  or  a failure- 
finding  task  must  be  assigned  to  avoid  the  risk  of  a multiple  failure.  The 
choice  depends  on  technical  feasibility  and  relative  cost. 


14  Is  an  on-condition  task  to  detect  potential  failures  both  applicable 
and  effective? 


EXHIBIT  7atl  A worksheet  showing  the  results  of  RCM  analysis  of 
the  Douglas  DC- 10  brake  assembly.  References  in  the  first  column  are 
to  the  functions,  functional  failures,  and  failure  modes  listed  in 
Exhibit  7.10. 


SYSTEM  DECK ’ON  WORKSHEET  type  of  aircraft  Douglas  DC-10-10 

Item  name  Brake  assembly,  main  landing  gear 

responses  to  decision-diagram  quesHons 


ref.  consequences  *«k  selection 

F FF  FM  1 2 3 45678  9 10  11  1213  14  15  16 

1 A 1 Y N V — — — — Y 

IB  1 N - - - __  — — — — N N N 

2 A 1 N - --  --  --  --  - - -Y 

3 a 1 N - - NNN 
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On-condition  inspections  are  not  applicable  for  this  failure  mode  be- 
cause we  cannot  define  a condition  that  will  preclude  functional  failures. 
This  brings  us  to  the  question  of  a rework  task: 


15  Is  a rework  task  to  reduce  the  failure  rate  both  applicable  and 
effective? 


At  the  time  the  initial  program  is  developed  there  is  no  information  to 
indicate  that  a rework  task  is  applicable  and  will  be  cost-effective;  hence 
the  answer  to  this  question  is  no. 


16  Is  a discard  task  to  avoid  failures  or  reduce  the  failure  rate  both 
applicable  and  effective? 


Once  again,  there  is  no  information  to  support  the  applicability  of  an 
economic-life  limit,  so  the  answer  in  an  initial  program  is  no.  A failure- 


p repared  by  F.  S.  Nowlan 


proposed  task 


page  of 
item  number 

reviewed  by  T.  M.  Edwards 

initial  interval 


Inspect  brake  wear  indicators 

Inspect  for  broken  lines 
(failure  finding) 

Test  automatic  brake  adjuster 

Inspect  for  external  leaks  (failure 
finding) 


During  walluuound  checks  and 
overnight  stops 

During  walkaround  checks  and 
overnight  stops 

Whenever  brake  assembly  is  in 
shop 

During  walkaround  checks  and 
overnight  stops 
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finding  task  is  therefore  required  — an  inspection  during  preflight  walk- 
arounds  and  overnight  layovers  to  check  for  broken  lines. 

In  addition  to  its  primary  function  of  providing  stopping  capability, 
the  brake  assembly  has  two  further  functions.  It  must  be  capable  of 
releasing  the  brake,  so  that  it  does  not  drag,  and  it  must  contain  the 
hydraulic  fluid.  Brake  drag  is  caused  by  a malfunctioning  automatic 
brake  adjuster,  and  this  subassembly  is  not  visible  unless  the  brake 
assembly  is  removed  and  disassembled.  In  most  cases  the  only  effect  of 
this  failure  is  increased  brake  wear,  which  will  show  up  on  the  brake 
wear  indicator.  Thus  the  brake  assembly  will  eventually  be  removed  for 
repair  as  a result  of  the  on-condition  task  already  scheduled,  and  the 
automatic  adjuster  can  then  be  checked  and  adjusted  as  necessary  while 
the  assembly  is  in  the  shop.  In  a few  cases  the  failure  effects  may  include 
overheating  of  the  brake  assembly,  pulling  of  the  brake  on  one  side,  a 
blowout  of  the  tire-pressure  plug,  and  possibly  a landing  on  a flat  tire  — 
in  short,  the  same  ultimate  effects  as  those  caused  by  a locked  brake.  In 
this  event  the  failure  would  be  evident  to  the  operating  crew;  however, 
the  same  additional  task  would  apply  in  either  case:  a shop  specification 
to  inspect  the  automatic  brake  adjuster  on  all  brake  assemblies  that 
come  in  for  repair. 

The  last  type  of  failure,  hydraulic  leaks  caused  by  damaged  or  dis- 
torted seals,  results  in  a slow  loss  of  fluid  from  the  hydraulic  system. 
Like  the  broken  pressure  line,  this  failure  possibility  falls  in  the  hidden- 
function  branch.  If  some  leakage  were  permitted,  so  that  a slight  leak 
could  be  defined  as  a potential  failure,  an  on-condition  task  would  be 
applicable.  In  this  case,  however,  any  leak  is  defined  as  a functional 
failure.  Rework  and  discard  tasks  are  not  applicable  for  this  failure  mode, 
so  the  only  choice,  by  default,  is  a failure-finding  task,  an  inspection 
during  preflight  walkarounds  and  overnight  layovers  for  external  leaks. 

The  results  of  this  analysis  are  summarized  in  Exhibit  7.11.  Note 
that  we  have  discussed  four  types  of  functional  failures,  all  of  which 
could  ultimately  affect  the  stopping  capability  of  the  airplane.  If  we  had 
treated  reduced  stopping  capability  as  a single  functional  failure,  we 
would  have  considered  exactly  the  same  failure  modes  and  identified 
exactly  the  same  inspection  tasks  for  inclusion  in  the  program. 

ANALYSIS  OF  A HIGH-FREQUENCY  COMMUNICATIONS  SUBSYSTEM 

The  information  worksheet  in  Exhibit  7.12  describes  the  high-frequency 
communications  system  used  for  voice  communications  on  Boeing  747 
aircraft  operated  on  long  overwater  flights.  This  system  consists  of  two 
identical  subsystems  which  are  completely  independent  of  each  other, 
right  down  to  the  antennas  and  the  source  of  electrical  power  from  the 
airplane's  power-supply  system.  Thus  either  subsystem  provides  the 
full  system  function.  Additional  sources  of  voice  communication  are 
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provided  by  a separate  very-high-frequency  system.  Each  of  the  sub- 
systems consists  of  numerous  assemblies  and  components,  all  of  which 
nave  specific  functions.  However,  failure  of  any  one  of  these  compo- 
nents results  in  only  three  types  of  failure  in  terms  of  communications: 
inability  to  transmit,  inability  to  receive,  or  inability  to  select  the  de- 
sired channel  (frequency). 


1  Is  the  occurrence  of  a failure  evident  to  the  operating  crew  during 
performance  of  normal  duties? 


The  failure  effects  described  in  Exhibit  7.12  show  that  any  of  these  three 
basic  types  of  failure  will  immediately  be  evident  to  the  operating  crew. 
Hence  the  answer  to  the  first  decision  question  is  yes. 


2  Does  the  failure  cause  a loss  of  function  or  secondary  damage  that 
could  have  a direct  adverse  effect  on  operating  safety? 


Because  of  system  redundancy,  none  of  the  failures  will  result  in  a loss 
of  the  system  function  and  will  therefore  not  affect  operating  safety,  so 
the  answer  to  this  question  is  no. 

This  brings  us  to  the  question  of  operational  consequences: 


3  Does  the  failure  have  a direct  adverse  effect  on  operational 
capability? 


Most  of  the  major  assemblies  in  this  item  are  plug-in/plug-out  units 
and  can  be  changed  very  quickly  after  a failure  has  occurred.  The  time 
required  to  replace  a failed  unit  may  result  in  no  delay  if  the  failure  is 
reported  at  a maintenance  station,  but  it  will  cause  a delay  if  the  failure 
report  is  received  at  a nonmaintenance  Nation.  Since  both  subsystems 
must  be  operative  before  the  plane  can  ue  dispatched,  a failure  is  con- 
sidered to  have  operational  consequences.  This  means  that  the  item 
must  be  classified  as  significant. 

At  this  point  we  would  ordinarily  examine  each  failure  mode  to 
find  preventive  tasks  that  are  both  applicable  and  cost-effective.  How- 
ever, past  experience  with  ,’:is  type  of  system  has  shown  that,  although 
each  major  assembly  is  subject  to  many  failure  modes,  current  tech- 
nology provides  no  means  of  detecting  reduced  failure  resistance.  There 
are  therefore  no  applicable  forms  of  on-condition  inspection.  We  would 
not  expect  scheduled  rework  to  reduce  the  failure  rate  in  a complex 

item,  and  in  fact  it  does  not.  By  the  same  token,  discard  tasks  are  not  SECTION  7-3  187 


EXHIBIT  7-12  An  information  worksheet  for  the  high-frequency 
communications  subsy  iem  in  the  Boeing  747. 


SYSTEM  INFORMATION  WORKSHEET  type  o'  aircraft  Boeing  747 


item  number 

item  name  High-frequency  communications  subsystem 
vendor  part/model  no.  All  models 


item  description 

Communications  subsystem  consisting  of  receiver, 
transmitter,  power  modulator,  frequency-selector 
panel,  antenna  coupler,  accessory  unit,  lightning 
arrester,  and  boom  antenna. 


reliability  data 

premature-removal  rate  (per  1,000  unit  hm  rs) 


failure  rate  (per  1,000  unit  hours) 
source  of  data 

functions 

1 To  transmit  voice  signals 

2 To  receive  voice  signals 

3 To  select  desired  channel 


functional  failures 
A No  output 

A No  reception 

A Failure  to  tune  to  selected 
channel 
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page 


of 


date  3/6/78 
date  3/6/78 
date 

redundancies  .nd  protective  features  (include  instrumentation) 

The  system  consists  of  two  identical  independent  subsystems  which 
can  be  used  simultaneously  for  transmitting  nr  receiving  or.  any 
frequency.  Backup  systems  include  a very-high-frequency  system  for 
relay  of  messages  and  SELCAL  (selective  calling),  which  allows  ground 
stations  to  ring  bell  in  cockpit  to  notify  crew  of  call. 


no.  per  aircraft  2 

system  Communications 

zone(s) 


prepared  by  F.  S.  Nowlan 
i Jewed  by  E.  S.  Wagner 
approved  by 


built-in  test  equipment  (describe)  Fault-annunciator  panel  on  accessory  unit 


Can  aircraft  be  dispatched  with  item 
inoperative?  If  so,  list  any  limitations 
which  must  he  observed. 

No 


classification  of  item  (check) 
X significant 

hidden  function 
nonsignificant 


failure  inodes  failure  effects 

1 Many  No  voice  amplification,  no  response  to  transmission;  loss  of 

backup-frequency  transmitting  capability 

1 Many  No  background  noise  from  receiver,  no  messages  heard; 

loss  of  backup-frequency  monitoring  capability 

1 Failure  of  frequency  selector  No  response  to  transmission  on  expected  frequencies; 

possible  loss  of  backup-frequency  monitoring  capability 


SYSTEM  DECISION  WORKSHEET  type  of  aircraft  Boeing  747 


item  name  High-frequency  communications  subsystem 


responses  to  decision-diagram  questions 


ref. 

consequences 

task  selection 

F 

FF 

FM 

i 

2 

3 
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EXHIBIT  7*13  A worksheet  showing  the  results  of  RCM  analysis  of 
the  Boeing  747  high-frequency  communications  subsystem.  The 
references  are  to  the  functions,  functional  failures,  and  failure  modes 
listed  in  Exhibit  7.1?. 

applicable.  We  must  therefore  conclude  that  this  system  cannot  benefit 
from  scheduled  maintenance.  If  operating  experience  shows  that  its 
reliability  is  inadequate,  especially  as  the  result  of  a dominant  failure 
mode,  design  changes  directed  at  the  faulty  component  will  be  the  only 
way  of  overcoming  the  problem.  The  results  of  this  analysis  are  shown 
in  Exhibit  7.13. 

ANALYSIS  OF  OTHER  TYPICAL  SYSTEMS  ITEMS 

The  failure  of  a hidden  function  cannot,  by  definition,  have  a direct 
effect  on  operating  safety.  In  some  cases,  however,  the  consequences  of 
a multiple  failure  involving  the  loss  of  this  function  can  be  critical.  This 
situation  is  characteristic  of  emergency  equipment,  where  the  demand 
for  a hidden  function  arises  as  the  result  of  some  other  failure.  Two 
examples  are  the  powerplant  fire-warning  system  and  ejection-seat 
pyrotechnic  devices.  All  such  items  must  be  protected  by  some  sched- 
uled task  to  ensure  that  the  hidden  function  will  be  available  if  it  is 
needed. 

The  powerplant  fire-warning  system  is  active  whenever  an  airplane 
is  in  use,  but  its  function  is  hidden  unless  it  senses  a fire.  Although 
some  warning  systems  include  fault  indicators,  certain  failure  modes 
can  result  in  a loss  of  function  that  is  not  shown  by  the  indicators;  con- 
sequently this  system  is  always  classified  as  a hidden-function  item. 
190  applications  However,  the  required  failure-finding  task  is  not  necessarily  performed 
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p«g*  of 
ittm  number 


prepared  by  F.  S.  Nowlan  reviewed  by  B.  S.  Wagner 


proposed  task 


Initial  Interval 


None.  There  are  no  applicable 
and  effective  scheduled* 
maintenance  tasks  for  this 
system. 


by  the  maintenance  crew.  In  this  case  it  is  specified  as  part  of  the  duties 
of  the  operating  crew.  The  crew  tests  the  system  before  each  flight  by 
means  of  a built-in  self-test  circuit. 

The  pyrotechnic  device  in  an  ejection  seat  is  also  a hidden-function 
item  that  requires  a high  degree  of  availability.  Pyrotechnic  materials 
deteriorate  with  age  whether  they  are  installed  or  not,  so  a discard  task 
is  applicable  to  this  item.  In  an  initial  program  the  task  interval  is  set 
either  conservatively  low  or  at  a life  limit  based  on  previous  experience 
with  the  same  item  in  other  aircraft.  All  units  are  tested  when  they  are 
removed  from  service  to  see  whether  they  would  have  worked,  and  the 
interval  is  adjusted  as  necessary  on  the  basis  of  the  test  results.  The 
cool-gas  generator  for  the  inflatable  evacuation  chute  of  passenger  air- 
craft is  accorded  the  same  treatment. 

Although  systems  items  in  commercial  transport  airplanes  rarely 
fall  in  the  safety  branch  of  the  decision  diagram,  not  all  systems  compo- 
nents can  be  protected  by  redundancy.  One  example  is  the  hydraulic 
landing-gear  actuator,  which  powers  the  mechanism  that  raises  and 
lowers  the  landing  gear.  If  the  actuator  fails  to  retract  the  gear,  the  air- 
plane must  return  to  the  point  of  takeoff.  If  it  fails  to  extend  the  gear,  the 
gear  can  still  be  extended  by  a free-fall  feature.  In  either  case  the  loss  of 
function  does  not  affect  safety,  but  one  of  the  failure  modes  does  cause 
secondary  damage. 

One  failure  mode  for  these  actuators  involves  cracking  or  separa-  SECTION  7*3  191 
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tion  of  the  endcap  as  a result  of  fatigue,  perhaps  accelerated  by  pitting 
corrosion.  This  type  of  failure  may  cause  secondary  damage  to  the  air- 
craft structure,  but  only  in  the  unlikely  event  of  certain  multiple  failures. 
The  structural  damage  in  this  case  does  not  affect  safety,  but  it  does  have 
major  operational  consequences,  since  any  structural  repairs  take  the 
entire  aircraft  out  of  service.  Pitting  corrosion,  which  will  greatly  shorten 
the  fatigue  life  of  the  endcap,  is  visible  when  the  actuator  is  disassembled 
in  the  shop.  An  on-condition  inspection  for  corrosion  is  therefore  appli- 
cable and  would  be  scheduled  as  part  of  any  shop  visit  of  the  landing- 
gear  actuator.  However,  the  primary  failure  process  is  fatigue,  and  it  is 
not  feasible  to  inspect  the  endcap  often  enough  to  detect  fatigue  cracks 
at  the  potential-failure  stage.  Scheduled  rework  is  not  applicable  for  this 
failure  mode.  A discard  task  would  take  care  of  the  fatigue  problem,  but 
this  particular  cap  was  designed  for  a fatigue  life  greater  than  the  ex- 
pected service  life  of  the  airplane;  hence  a life  limit  was  considered 
unnecessary. 


7 • 4 ESTABLISHING  TASK  INTERVALS 

initial  intervals  At  the  time  an  initial  maintenance  program  is  developed  there  is  usually 
the  role  of  age  exploration  enough  information  to  determine  the  applicability  of  on-condiuon  and 
failure-finding  tasks.  However,  the  information  neede  1 to  determine 
optimum  inspection  intervals  is  ordinarily  not  available  until  after  the 
equipment  enters  service.  In  many  cases  previous  experience  with  the 
same  or  a similar  item  serves  as  a guide,  but  in  the  absence  of  actual 
operating  data  it  is  necessary  to  set  conservatively  short  intervals  for  all 
tasks  and  increase  them  on  the  basis  of  age  exploration.  Thus  on  a new 
aircraft  the  tires  and  brake  wear  indicators  are  ordinarily  checked  once  a 
day  to  determine  the  rate  of  reduction  in  failure  resistance  undej  ictual 
operating  conditions.  Once  this  has  been  established,  precise  limits  can 
be  defined  for  potential  failures  and  the  inspection  intervals  can  be 
adjusted  as  necessary. 

Scheduled  rework  tasks  have  proved  to  be  ineffective  for  complex 
items  in  systems,  and  in  any  case,  the  information  required  to  determine 
their  applicability  is  rarely  available  until  sufficient  operating  experi- 
ence has  accumulated  for  an  actuarial  analysis.  Occasionally  prior  ex- 
perience or  concern  about  the  economic  impact  of  failures  leads  to  the 
specification  of  rework  tasks  in  an  initial  program.  Seven  items  were 
specified  for  rework  in  the  Douglas  DC-10  program  and  eight  in  the 
Boeing  747  program.  The  DC-10  generator  control  unit  was  scheduled 
for  rework  at  an  initial  interval  of  3,000  hours,  the  DC-10  high-pressure 
bleed-control  valve  at  an  interval  of  8,000  hours,  and  the  Boeing  74 7 
192  APPLICATIONS  generator  at  an  interval  of  5,000  hours. 


The  intervals  for  safe-life  items  are  known  at  the  outset,  since  these 
are  established  by  the  manufacturer.  Economic-life  discard  tasks  for 
simple  items  such  as  hydraulic  lines  may  be  anticipated  in  an  initial 
program,  but  they  are  rarely  included  at  this  stage.  Like  rework  tasks, 
there  is  no  basis  for  establishing  a cost-effective  interval  until  the  equip- 
ment begins  to  age  in  service.  The  role  of  age  exploration,  especially  in 
monitoring  the  performance  of  the  many  systems  assigned  to  no  sched- 
ule maintenance,  is  discussed  in  detail  in  Chapter  11. 
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rcm  analysis  of  powerplants 


THE  POWERPLANT  division  of  an  airplane  includes  only  the  basic  engine. 
Engines  are  complex,  however,  and  are  subject  to  numerous  forms  of 
failure,  most  of  which  are  expensive  and  some  of  which  are  critical.  More- 
over, nearly  all  powerplant  failures  have  operational  consequences, 
since  it  is  usually  necessary  to  remove  an  engine  and  install  a replace- 
ment after  a failure  has  occurred.  Thus  the  cost  of  failure  includes  both 
operational  consequences  and  the  support  cost  of  very  expensive  re- 
place lent  units,  in  addition  to  the  high  cost  of  corrective  maintenance, 
lor  aM  these  reasons  there  is  a particularly  strong  incentive  to  find 
applicable  and  effective  preventive  tasks. 

The  powerplant  is  accompanied  by  a number  of  engine-driven 
accessories,  such  as  the  fuel  pump  and  the  fuel-control  system.  On 
some  types  of  engines  the  thrust  reverser  is  also  an  accessory,  rather 
ihan  an  integral  pa  t of  the  engine.  These  accessories,  as  well  as  their 
connecting  links  to  the  engine,  are  treated  as  part  of  the  systems  divi- 
sion. However,  some  of  the  failure  possibilities  to  which  they  are  ex- 
p sed  will  influence  the  functioning  of  the  engine  itself;  a fuel-pump 
failure,  for  example,  may  causi.  an  engine  flameout.  It  is  therefore  im- 
portant for  the  study  group  working  on  the  powerplant  program  to 
review  the  analyses  of  the  essential  engine  accessories. 

Because  of  its  complexity  a turbine  engine  is  subject  to  a great 
many  types  of  failures,  most  of  which  never  reach  the  functional- 
failure  stage.  While  potential  failures  may  result  in  age-related  remov- 
als, particularly  if  there  are  dominant  failure  modes,  the  residual  fail- 
ure rate— those  failures  seen  by  the  operating  crew  — remains  relatively 
constant  at  all  ages  because  of  the  large  number  of  failure  modes  in- 
volved i’his  fact  has  several  implications  fora  scheduled-maintenance 
program.  First  of  all,  because  those  functional  failures  that  cannot  be 
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prevented  by  on-condition  tasks  occur  at  widely  disparate  ages,  sched- 
uled overhaul  of  the  entire  engine  at*some  particular  age  will  do  little 
or  nothing  to  improve  its  reliability.  However,  engine  removals  for 
both  potential  and  functional  failures  result  in  a continual  flow  of  en- 
gines to  the  shop  throughout  their  operating  lives,  thus  providing  the 
opportunity  for  a more  effective  form  of  protection  through  on-condition 
tasks  scheduled  as  part  of  the  repair  process.  New  engines  in  particular 
supply  an  abundance  of  such  opportunity  samples,  and  the  assignment 
of  internal  engine  parts  to  inspections  for  intensive  age  exploration  is 
an  important  part  of  the  initial  powerplant  program 


8 • 1 CHARACTERISTICS  OF  POWERPLANT  ITEMS 


The  operating  gross  weights  of  transport  aircraft  are  not  only  restricted 
by  structural  considerations;  they  are  also  restricted  flight  by  flight  to 
ensure  that  a multiengine  airplane  will  have  a specified  performance 
capability,  measured  as  available  rate  of  climb,  after  a complete  loss  of 
thrust  from  one  engine  (in  some  cases  two  engines).  Hence  the  airplane 
is  capable  of  safe  operation  with  one  engine  inoperative  as  long  as  the 
remaining  engines  meet  specified  performance  requirements.  For  this 
reason  Ihe  basic  function  of  an  aircraft  engine  is  defined  as  the  capa- 
bility of  providing  a specified  amount  of  thrust,  without  vibration  and 
at  acceptable  levels  of  other  operating  parameters.  If  an  engine  cannot 
perform  this  function,  a functional  failure  has  occurred.  This  failure  may 
range  from  a complete  loss  of  thrust  (an  engine  shutdown)  to  insuffi- 
cient thrust,  caused,  for  example,  by  high  exhaust-gas  temperatures.  In 
aircraft  other  than  civilian  transport  airplanes  the  basic  function  of  the 


the  basic  engine  function 
design  characteristics 
maintenance  characteristics 
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engine  can  still  be  stated  in  terms  of  specified  thrust,  but  the  conse- 
quences of  a functional  failure  might  be  quite  different.  In  a single- 
engine  aircraft,  for  instance,  a significant  loss  of  thrust  would  have  a 
direct  effect  on  operating  safety,  since  there  is  only  one  source  of  power. 

Cockpit  instruments  enable  the  operating  crew  to  monitor  most 
aspects  of  engine  performance,  such  as  compressor  rotation  speed, 
exhaust-gas  temperature,  fuel  flow,  oil  pressure,  oil-inlet  temperature, 
and  the  engine  pressure  ratio.  The  engine  pressure  ratio  is  correlated 
with  engine  thrust,  and  power  is  set  by  advancing  the  throttle  until  a 
desired  pressure  ratio  is  reached.  Ordinarily  power  will  be  obtained  at 
an  exhaust-gas  temperature  well  below  the  maximum  limit.  However, 
when  there  is  deterioration  that  reduces  combustion  efficiency  or  the 
efficiency  of  gas  flow  through  the  engine,  more  throttle  movement,  and 
hence  more  fuel  consumption,  is  needed  to  obtain  the  same  power. 
Consequently  the  exhaust-gas  temperature  is  increased,  and  the  engine 
may  become  temperature-limited  even  though  no  parts  within  it  have 
failed.  An  engine  failure  of  this  kind  always  has  operational  conse- 
quences because,  although  a multiengine  airplane  can  safely  complete 
its  flight  with  one  engine  inoperative,  it  cannot  be  dispatched  in  this 
condition. 

In  addition  to  failures  resulting  from  inefficient  engine  perform- 
ance, an  aircraft  engine  is  subject  to  numerous  other  failure  modes, 
some  of  which  cause  secondary  damage  that  presents  a safety  hazard. 
For  both  these  reasons  the  engine  as  a whole  must  be  classified  as  a 
significant  item;  a functional  failure  may  have  safety  consequences  and 
always  has  major  economic  consequences.  If  the  engine  is  partitioned 
into  smaller  items,  by  module  or  by  stage,  many  of  its  components  will 
also  be  classified  as  significant  items. 

As  an  example,  consider  the  Pratt  & Whitney  JT8D  engine,  which  is 
in  use  on  such  aircraft  as  the  Boeing  737,  the  Douglas  DC-9,  and  the 
Boeing  727.  This  turbine  engine  has  five  general  sections,  as  illustrated 
in  Exhibit  8.1.  The  compressor  section  consists  of  two  axial-flow  com- 
pressors, a front  low-pressure  compressor  with  six  stages  and  a rear 
high-pressure  compressor  with  seven  stages.  Each  compressor  is  built 
up  from  individual  disks  cor  each  stage.  These  disks  rotate,  and  small 
blades  attached  to  their  peripheries  compress  the  air  as  it  flows  by 
them.  Air  from  the  inlet  section  of  the  engine  flows  into  the  front  com- 
pressor. The  first  two  stages  of  this  compressor  are  fan  stages,  and  some 
of  the  air  that  flows  through  them  bypasses  the  other  compressor  stages; 
the  rest  moves  on  to  higher  stages,  with  its  pressure  increased  at  each 
successive  stage,  The  compressed  air  then  enters  the  nine-can  (can- 
annular)  combustion  chamber.  Fuel  is  added  to  the  air,  the  mixture 
is  burned,  and  the  expanding  gases  flow  through  a four-stage  turbine 
and  finally  pick  up  speed  as  they  are  expanded  out  of  the  exhaust  nozzle, 
thereby  creating  thrust. 


First  and  second  Secondary  Primary 
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nozzle  guide  turbine  blades  disk/blade  nozzle 


Exhaust  section 
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EXHIBIT  8-1  Schematic  diagram  of  the  Pratt  & Whitney  |T8V)  turbine 
engine.  The  thrust  reverse!  is  not  shown.  (Based  on  I’ratt  & Whitney 
training  materials) 


Each  stage  of  the  turbine  is  a disk  with  blades  on  its  periphery,  some- 
what like  the  compressor  stages.  The  forward  stage  of  the  turbine  drives 
the  high-pressure  compressor  and  the  other  three  stages  drive  the  low- 
pressure  compressor  by  ,’eans  of  concentric  rotor  shafts.  Power  is  taken 
from  the  outer  shaft  by  bevel  gears  and  directed  down  a towershaft  to 
the  main  accessory  case.  Each  accessory  attached  to  this  case  is  driven 
by  a spline-pinion  connection  to  the  main  gear.  Plenum  rings  and  ports 
built  into  the  engine  case  bleed  off  air  from  the  sixth,  eighth,  and  thir- 
teenth stages  of  the  compressor  and  direct  it  into  ducting;  this  high- 
pressure  air  supplies  the  pneumatic  system  for  cabin  pressurization,  air 
conditioning,  anti-icing,  thrust-reverser  actuation,  and  engine  cross- 
starting capability. 

The  thrust  leverser  is  an  accessory  on  the  JT8D  engine  and  would 
ordinarily  be  analyzed  as  a systems  item.  However,  in  some  installa- 
tions it  is  attached  in  such  a way  that  it  is  removed  along  with  the  basic 
engine,  and  on  other  types  of  engines  it  is  often  part  of  the  basic  engine. 
For  convenience,  therefore,  we  will  consider  it  as  a powerplant  item  in 
this  case.  The  thrust  reverser  is  mounted  behind  the  exhaust  nozzle. 
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It  is  of  the  mechanical-blockage  type  and  moves  two  clamshell-shaped 
deflectors  into  the  exhaust  stream  on  the  pilot's  command.  The  deflected 
exhaust  is  then  redirected  forward  by  a panel  of  cascade  vanes  mounted 
on  each  side  of  the  engine.  The  reverser  is  actuated  pneumatically  by  a 
system  of  controls,  valves,  actuators,  linkages,  and  plumbing. 

When  the  engine  is  partitioned  into  modules  (systems),  sections 
(subsystems),  and  stages  (assemblies),  some  modules  will  be  found  to 
contain  very  few  parts  that  are  not  significant.  In  a compressor,  for 
example,  the  disks,  hubs,  and  shafts  are  all  significant  items.  Failures 
of  most  of  the  rotating  parts  and  parts  exposed  to  the  gas  path  will  be 
evident  to  the  operating  crew  from  the  cockpit  instruments;  they  will 
therefore  have  operational  consequences.  Failures  of  nonrotating,  non- 
gas-path parts,  many  of  which  form  plenums  (containing  gases  under 
pressure)  or  reservoirs  (containing  operating  fluids  such  as  oil)  may  not 
be  evident  and  will  require  scheduled  inspections  for  this  reason.  :» 
short,  there  are  very  few  parts  of  an  engine  that  do  not  require  some 
form  of  scheduled  maintenance. 

Because  of  the  great  number  of  failure  modes  to  which  an  aircraft 
engine  is  exposed,  RCM  analysis  of  powerplant  items  may  fall  in  any 
of  the  four  branches  of  the  decision  diagram.  Many  engine  parts  are 
subject  to  failures  with  critical  secondary  damage  and  will  therefore  be 
assigned  safe-life  discard  tasks.  In  an  initial  powerplant  program,  how- 
ever, the  most  frequent  outcome  in  any  consequence  category  is  an  on- 
condition  task,  with  intensive  inspection  of  certain  items  as  part  of  the 
age-exploration  plan.  One  reason  for  this  is  that  coirective  maintenance 
on  engines  is  responsible  for  more  than  half  the  support  cost  for  any 
airplane,  and  even  when  fractured  parts  do  not  cause  hazardous  dam- 
age, they  may  cause  damage  that  is  very  expensive  to  repair.  Another 
reason,  of  course,  is  to  avoid  the  safety  and  operational  consequences 
of  a functional  failure. 

On-condition  inspections  of  powerplant  items  are  performed  at 
two  levels,  depending  on  the  accessibility  of  the  tern.  Many  items  can 
be  inspected  visually  or  by  borescope  and  radiography  techniques 
while  the  engine  is  on  the  aircraft.  Most  internal  engine  parts  cannot 
be  inspected  without  a certain  amount  of  disassembly.  These  parts  are 
therefore  assigned  on-condition  inspections  in  the  shop  when  the  en- 
gine is  being  disassembled  for  repair.  When  the  combustion-chamber 
retaining  lug  is  removed,  for  example,  a plug  gage  is  fitted  into  the  lug. 
If  the  fit  meets  specifications  the  combustion  chamber  can  be  rein- 
stalled as  is;  otherwise  it  is  routed  to  repair. 

Whereas  on-condition  inspections  on  installed  engines  are  per- 
formed at  fixed  intervals,  the  shop  inspections  of  internal  engine  items 
are  scheduled  on  the  basis  of  opportunity  samples,  sometimes  with  a 
maximum  age  interval  as  a precaution.  Opportunity  samples  take  ad- 
vantage of  the  fact  that  with  large  fleets  of  multiengine  airplanes  there 
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will  be  a sufficient  flow  of  engines  through  the  shop  to  provide  con- 
tinuing exposure  of  all  the  major  parts.  During  the  first  few  years  of 
operation,  when  the  fleet  is  small,  the  failure  rate  is  usually  also  at  its 
highest,  which  automatically  brings  a larger  number  of  engines  to  the 
shop.  These  frequent  shop  visits  not  only  provide  information  on  the 
items  that  have  failed,  but  also  permit  easy  inspection  of  all  the  parts 
that  must  be  removed  to  gain  access  to  the  failed  item.  Thus,  in  addition 
to  the  on-condition  tasks  that  are  known  to  be  applicable,  in  an  initial 
program  many  internal  engine  parts  are  assigned  such  inspections  for 
the  purpose  of  age  exploration.  Although  some  of  these  inspections  may 
prove  to  have  no  real  on-condition  capability,  they  will  be  the  only 
source  of  information  on  items  that  are  not  experiencing  failures. 


8 *2  ASSEMBLING  THE  REQUIRED  INFORMATION 

The  analysis  of  significant  items  in  an  aircraft  powerplant  requires  a initial  information  requirements 
broad  knowledge  of  current  maintenance  practices,  as  well  as  a detailed  the  information  worksheet 
understanding  of  the  specific  engine  under  consideration.  The  mem- 
of  the  powerplant  working  group  will  know  from  previous  experi- 
ence the  areas  of  the  engine  that  tend  to  be  the  most  troublesome  in  new 
designs.  They  will  also  be  familiar  with  the  various  forms  of  on-condition 
inspection  and  the  uses  of  opportunity  sampling  in  conducting  age 
exploration.  In  addition  to  this  background  information,  the  engine 
manufacturer  provides  specific  information  about  any  new  engine  by 
reviewing  the  design  characteristics  of  the  production  model  with  the 
entire  working  group.  During  this  process  similarities  to  and  differences 
from  in-service  types  of  engines  become  apparent.  The  review  also  pin- 
points areas  in  which  new,  or  relatively  new,  technology  has  been 
incorporated  in  the  design,  either  to  reduce  the  weight  of  the  engine  or 
to  increase  its  performance  capabilities. 

New  aircraft  engines  are  designed  and  developed  over  a period  of 
years  preceding  certification  of  the  aircraft  in  which  they  are  installed. 

Extensive  testing  is  conducted  at  each  stage  of  development  to  ensure 
that  a reliable  product  is  being  developed.  Many  different  prototype 
engines  are  usually  used  during  the  certification  test  flights  of  the  air- 
plane itself,  and  experience  with  these  engines  gives  the  manufacturer 
an  opportunity  to  identify  and  resolve  any  problems  that  come  to  light. 

In  addition,  once  the  engine  design  is  stabilized,  several  engines  are 
tested  in  endurance  runs,  either  as  part  of  the  engine  certification  pro- 
gram or  as  an  adjunct  to  it.  Unfortunately  this  early  experience  may  not 
be  of  great  use  during  the  development  of  an  initial  maintenance  pro- 
gram, because  the  engine  will  usually  have  been  modified  to  correct 
any  known  problems  before  the  production  engines  are  delivered.  The 
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EXHIBIT  8-2  Th  o d.it.i  elements  needed  for  analysis  of  powerplant 
items. 

IDENTIFIC ATION  OF  ITIM 

Type  of  aircraft  Quantity  per  engine 

Type  of  engine  Location  (section/module) 

Item  name 

Manufacturer's  part  and  model  number 
ITEM  INFORMATION 

Item  description  (general  function  and  major  parts) 

Redundancies  and  protective  features  (including  instrumentation) 
Built-in  test  equipment 

AVAILABLE  RELIABILITY  DATA 
Anticipated  premature-removal  rate 

Anticipated  verified  failure  rate 

Source  of  data  (test  data  or  operating  experience) 

RCM  INPUT 

Item  functions 

Functional  failures  (as  defined  'or  each  function) 

Most  probable  failure  modes 

Predictable  failure  effects  (for  each  failure  mode) 

Evidence  of  functional  failure 

Effects  of  loss  of  function  on  operating  capability 

Effects  of  failure  beyci.c:  ioss  of  function  (including 
ultimate  effects  of  possible  secondary  damage) 

Nature  of  failure  consequences 

Evidence  of  reduced  failure  resistance  that  can  be  used  to 
define  potential-failure  conditions 

Experience  with  other  engines  containing  the  same  or 
similar  item 
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depends  heavily  on  the  knowledge  and  experience  of  the  working 
group. 

Exhibit  8.2  lists  the  data  elements  that  must  be  assembled  before 
analysis  begins.  Much  of  this  information  comes  from  detailed  review 
of  the  production  model,  supplemented  by  the  manufacturer's  instruc- 
tion manuals  and  test  data.  The  data  elements  for  each  item  to  be  ana- 
lyzed are  recorded  on  an  information  worksheet  like  that  used  for 
systems  items.  In  the  case  of  powerplant  items  the  manufacturer's 
identification  is  usually  functionally  descriptive  in  itself.  However,  the 
item  description  should  include  all  major  components  and  should  reflect 
the  level  of  item  being  considered  (see  Exhibit  8.3).  Where  the  item  is 
a module  or  stage,  the  description  should  list  all  the  major  assemblies  it 
contains. 

As  with  systems  items,  it  is  important  to  list  all  redundancies  and 
protective  features.  Bypasses  and  pressure-relief  systems,  as  well  as  the 
extent  of  the  cockpit  instrumentation,  are  all  factors  in  evaluating  the 
consequences  of  a functional  failure.  If  the  engine  case  is  designed  to 
contain  fractured  parts,  this  information  should  be  included,  since  it 
means  that  the  secondary  damage  resulting  from  certain  failures  will 
not  have  safety  consequences  (although  it  may  have  major  economic 
consequences).  Ordinarily  an  aircraft  cannot  be  dispatched  with  any 
major  engine  item  inoperative  (this  information  comes  from  the  mini- 
mum-equipment list  and  pertains  primarily  to  systems  items).  How- 
ever, a yes  answer  for  an  individual  part  may  mean  that  this  item  can 
be  classified  as  nonsignificant,  since  a functional  failure  will  have  no 
operational  consequences. 

In  listing  the  functions  of  an  item  it  is  important  to  describe  both 
its  basic  function  and  all  secondary  or  characteristic  functions.  Each 
function  described  should  relate  in  some  way  to  one  of  the  overall 
engine  functions.  For  example,  the  basic  function  of  the  nozzle  guide 
vanes  is  to  redirect  the  exhaust  gases  onto  the  first-stage  turbine  blades; 
a second  function  is  to  create  the  proper  nozzle  area  for  efficient  engine 
operation.  The  functional  failures  are  the  inability  to  perform  these 
functions;  note  that  in  some  cases  there  is  more  than  one  failure  possi- 
bility for  a given  function.  The  failure  modes  are  the  specific  ways  each 
type  of  functional  failure  can  occur.  In  addition  to  the  failure  modes 
listed  for  the  nozzle  guide  vanes,  rotating  parts  such  as  blades  and 
disks  are  subject  to  fatigue.  Combustion  chambers  may  crack  or  bum 
through,  or  their  locating  pins  may  wear.  Unless  the  failure  modes  am 
dearly  identified,  there  is  no  way  to  determine  what  preventive  tasks 
might  be  applicable. 

The  failure  effects  identify  the  immediate  results  of  he  failure.  These 
effects  include  any  secondary  damage  caused  by  the  failure,  as  well  as 
the  impact  of  the  loss  of  function  both  on  the  engine  and  on  the  aircraft. 


section  a z 201 


EXHIBIT  8*3  An  information  woiksheet  for  the  first-stage  nozzle 
guide  vaner.  of  the  Pratt  & Whitney  JT3D  powerplant. 


POWWPLANT  INFORMATION  WORKSHEET  type  of  aircraft  Douglas  DC-S 

type  of  engine  Pratt  4c  Whitney  JT3D 

item  number 

item  name  Firet-stage  nozzle  guide-vane  assembly 
vendor  part/model  no.  536751/JT3D 


item  description 

The  63  nozzle  guide  vanes  form  a set  of  airfoils 
located  in  the  gas  path  immediately  downstream  of 
the  combustion-chamber  outlet  duct.  They  accelerate 
and  direct  hot  gases  onto  the  first-stage  turbine  blades 
at  the  proper  angle  for  aerodynamic  efficiency. 


reliability  data 

premature-removal  ra*e  (per  1,000  unit  hours) 
failure  rate  (per  1,000  unit  hours) 
source  of  data 

functions  functional  failures 

1 To  redirect  gases  at  the  A Vanes  form  improper  angle 

proper  velocity  and  angle  and  nozzle  area 
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page 


of 


no,  per 

engine  63 

prepared  by 

T.  M.  Edwards 

date 

6/26/78 

section 

Turbine 

reviewed  by 

T.  N.  Mix 

date 

6/26/78 

module 

approved  by 

date 

redundancies  and  protective  features  (include  instrumentation) 

Vanes  are  made  of  small-grain  alloy  to  resist  heat  deformation  and 
receive  protective  coating  to  resist  heat  damage  and  erosion.  Vanes 
are  bolted  in  place  to  prevent  fractured  parts  from  slipping  into 
alrstream. 

Note:  Multiple  guide  vanes  provide  no  functional  redundancy. 


built-in  test  equipment  (describe)  None 


Can  aircraft  be  dispatched  with  item 
inoperative?  If  so,  list  an<-  limitations 
which  must  be  observed. 

No 


classification  of  item  (check) 
X significant 

hidden  function 
nonsignificant 


failure  modes 

1 Bowing  of  nozzle  guide  vanes 
from  heat  deformation 


2 Erosion  of  nozzle  guide  vanes 
from  direct  exposure  to  exhaust-gas 
particles 


failure  effects 

Progressive  loss  in  engine  efficiency,  increased  fuel 
consumption  and  exhausi-ga  temperature,  and  possible 
high-power  stall  resulting  in  engine  shutdown;  if  vanes 
bow  back  into  turbine-blade  path,  contact  with  rotating 
blades  resulting  in  fracture  and  critical  secondary 
damage  from  blade  failure 

Progressive  loss  in  engine  efficiency,  leading  to  possible 
engine  shutdown  as  for  1 A 1 (no  contact  with  turbine 
blades) 


The  description  should  also  specify  any  physical  evidence  by  which  the 
occurrence  of  the  failure  can  be  recognized  by  the  operating  crew.  In 
the  case  of  most  engine  failures  this  is  an  instrument  indication,  often 
the  exhaust-gas  temperature  reading.  The  failure  effects  must  be  de- 
scribed for  each  failure  possibility,  since  they  help  to  determine  the 
consequences  of  that  failure,  and  hence  the  priority  of  maintenance 
requirements. 

As  an  example,  one  of  the  failure  modes  listed  in  Exhibit  8.3  for  the 
JT3D  engine  is  bowing  of  the  turbine  nozzle  guide  vanes  as  a result  of 
prolonged  exposure  to  high  temperatures.  The  effects  in  this  case  are 
progressive.  Slight  bowing  will  change  the  entry  direction  of  the  gases, 
reducing  the  efficiency  of  turbine-blade  action  and  causing  the  exhaust- 
gas  temperature  to  rise  for  a given  thrust  setting.  If  the  temperature  is 
already  high  because  of  other  deterioration  in  the  engine,  the  permis- 
sible temperature  will  be  exceeded,  and  the  pilot  will  report  a functional 
failure.  However,  the  exhaust-gas  temperature  measures  the  overall 
efficiency  of  the  engine,  and  if  the  limit  temperature  is  not  reached, 
bowing  may  continue  to  a point  at  which  the  stationary  vanes  come 
into  contact  with  the  rotating  turbine  blades.  Either  the  blades  or  the 
vanes  will  fracture,  and  if  the  engine  case  cannot  contain  the  fractured 
parts,  the  ultimate  effect  of  bowed  guide  vanes  in  this  engine  design  is 
critical  secondary  damage.  The  failure  must  therefore  be  classified  as 
having  safety  consequences. 

All  the  relevant  information  is  examined  for  each  engine  item,  and 
the  item  is  then  classified  as  significant  or  nonsignificant  on  the  basis 
of  its  failure  consequences.  Items  in  either  category  may  have  one  or 
more  hidden  functions;  thus  an  item  may  be  identified  in  this  initial 
partitioning  process  as  nonsignificant,  but  also  as  having  a hidden 
function.  Since  all  hidden  functions  must  be  protected  by  scheduled 
maintenance  to  ensure  that  failures  will  be  found  and  corrected,  both 
significant  items  and  hidden-function  items  must  be  subjected  to  full 
RCM  analysis. 

The  objective  of  the  partitioning  process  outlined  in  Chapter  4 is 
to  select  the  most  convenient  level  of  item  for  analysis.  Most  powerplant 
analyses  can  be  conducted  conveniently  at  the  module  or  section  level. 
In  this  case  the  failure  of  any  significant  item  included  in  the  module  or 
section  under  consideration  would  constitute  a failure  mode.  For  ex- 
ample, if  the  item  selected  for  study  were  the  turbine  section,  one  of  the 
failure  modes  would  be  failure  of  the  first-stage  turbine  nozzle  guide 
vanes.  However,  thi  powerplant  itself  can  also  be  viewed  as  an  item. 
While  this  is  only  one  of  several  possible  approaches,  it  has  certain  ad- 
vantages in  sorting  the  vast  number  of  failure  possibilities  that  must  be 
considered  into  an  organized  pattern  on  the  basis  of  their  consequences. 
In  the  examples  that  follow,  therefore,  we  will  consider  the  entire  engine 
as  a significant  item. 
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8*3  FAILURES  OF  THE  BASIC  ENGINE  FUNCTION 


The  Pratt  & Whitney  JT8D  engine  used  on  the  three-engine  Boeing  727  fractures  with  critical 
is  described  by  the  information  worksheet  in  Exhibit  8.4.  Although  this  *econdary  c)a1ma8e  . . 

engine  might  be  analyzed  at  the  module  or  section  level,  at  the  engine  secondary  damage 
level  its  functions  can  be  defined  as  follows:  failures  caused  by  deterioration 

► To  provide  specified  amounts  of  thrust  without  exceeding  the  ac- 
ceptable levels  of  the  engine  operating  parameters 

► To  drive  engine-mounted  accessories,  such  as  the  fuel  pump,  oil 
pump,  fuel-control  unit,  hydraulic  pump,  and  constant-speed  drive 
generator 

► To  provide  high-pressure  air  to  the  pneumatic  system  for  use  by 
subsystems 

► To  provide  reverse  thrust  to  assist  in  braking  the  airplane  (assumed 
as  a function  of  this  engine  design) 

At  this  point  let  us  consider  the  first  type  of  engine  failure,  a failure  to 
provide  specified  thrust  (including  complete  loss  of  thrust,  or  an  engine 
shutdown): 


1 Is  the  occurrence  of  a failure  evident  to  the  operating  crew  during 
normal  performance  of  duties? 


Any  reduction  in  engine  thrust  will  be  evident,  because  the  engine 
pressure  ratio  and  other  instrument  readings  are  closely  monitored  by 
the  operating  crew.  When  the  airplane  is  in  flight,  changes  in  engine 
output  may  also  be  signaled  by  throttle  vibration  or  audible  thumps. 

Hence  the  answer  to  this  question  is  yes. 

The  next  step  in  RCM  analysis  would  ordinarily  be  to  examine  each 
of  the  failure  modes  that  might  lead  to  this  functional  failure.  In  identi- 
fying the  probable  failure  mod  _-s,  however,  it  will  be  found  that  some 
involve  the  fracture  of  a part  that  can  cause  critical  secondary  damage, 
whereas  others  involve  a fracture  without  such  damage,  and  still  others 
involve  general  deterioration  with  no  fractured  parts.  For  convenience, 
then,  we  can  group  all  significant  assemblies  and  parts  into  these  three 
' isses  and  analyze  each  class  of  failure  modes  separately. 

ACTURES  WITH  CRITICAL  SECONDARY  DAMAGE 

compressor  disks,  turbine  disks,  and  turbine  blades  are  typical  of  the 
powerplant  items  whose  fracture  can  cause  critical  secondary  damage. 

It  is  apparent  from  the  failure  effects  described  in  Exhibit  8.4  that  all  SECTION  8-3  205 


EXHIBIT  8 a4  An  information  worksheet  for  analysis  of  the  Pratt  & 
Whitney  JT8D-7  powerplant  of  the  Boeing  727. 


POWERPLANT  INFORMATION  WORKSHEET  type  of  aircraft  Boeing  727 

type  of  engine  Pratt  Sc  Whitney  JT8D-7 


item  number 

item  name  Propulsion  powerplant 
vendor  part/model  no.  JT8D-7 


item  description 

Axi.-l-flow  front-turbofan  engine  with  a thirteen- 
stage  split  compressor  (two  spools),  a nine-can 
(can-annular)  combustion  chamber,  and  a split  four- 
stage  turbine. 


reliability  data 

premature-removal  rate  (per  1,000  unit  hours) 
failure  rate  (per  1,000  unit  hours) 
source  of  data 


functions  functional  failures 

1 To  provide  specified  amounts  A Engine  does  not  provide 
of  thrust  without  exceeding  the  specified  thrust  (including 

acceptable  values  of  engine  case  of  no  thrust) 

operating  parameters 
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P»8* 


of 


no.  per  aircraft  3 


module 


prepared  by  T.  M.  Edwards 
reviewed  hy  F.  S Nowlan 
approved  by 


d"\e  2/14/78 
c»e  1/14/78 


redundancies  and  protective  features  /include  instrumentation) 

The  airplane  has  three  engines;  operating  weight  is  controlled  tor 
all  flights  so  that  airworthiness  requirements  can  be  met  with  one  engine 
inoperative.  Full  instrumentation  of  all  engine  operating  parameters; 
each  engine  protected  by  fire-waming  and  fire-extinguishing  system. 


built-in  test  equipment  (describe)  None 


Can  aircraft  be  dispatched  with  item 
inoperative?  If  so,  list  any  limitations 
which  must  be  observed. 


classifier '.ion  of  item  •/■beck) 
X significant 

hidden  function 
nonsiumfh.a-it 


failure  modes 

1 Failure  of  parts  whose  fracture 
can  cause  critical  secondary  damage: 

a Failure  cf  "ompressor  or 
turbine  disks 

b Failure  of  turbine  blades 

2 Failure  of  parts  whose  fracture 
does  not  cause  critical  secondary 
damage: 

Towershaft  bearing  or  gear 
failure 

3 Failure  resulting  from  general 
deterioration  without  the  fracture 
of  parts: 

Deterioration  of  combustion 
chambers,  nozzle  guide  vanes, 
compressor  blades,  etc. 


failure  effects 

Immediate  loss  of  thrust  or  flamraut,  confirmed  by 
instrument  readings;  possible  critical  secondary  da.nuge  if 
engine  case  does  not  contain  fractured  parts;  pilot  will  abort 
takeoff  if  prior  to  takeoff-refusal  speed,  oftethke  will  land 
at  nearest  suitable  airport;  engine  change  required 

Immediate  loss  of  thrust  or  flameout,  ccnlirmed  by 
instrument  readings;  operational  effects  as  tor  1 A I;  engine 
change  required 


Progressive  loss  of  engine  efficiency  as  shoirn  by  instru- 
ment readings;  it  desired  thrust  cannot  be  obtained 
without  exceeding  maximum  exhaust-gas  temperature- 
pilot  will  abort  takeoff  if  prior  to  ikeoff -refusal  speed; 
if  airborne  may  continue  flight  at  reduced  powor  or  shut 
down  engine  and  land  at  nearest  suitable  airport;  engine 
change  may  be  required 


V. 


such  failures  will  immediately  be  evident  to  the  operating  crew.  As  for 
any  failure  of  the  basic  engine  function,  therefore,  the  answer  to  the  first 
decision-diagram  question  is  yes. 

The  next  step  in  the  decision  process  is  to  determine  the  precise 
nature  of  the  failure  consequences: 

2 Does  the  failure  cause  a loss  of  function  or  secondary  damage  that 

could  have  a direct  adverse  effect  on  operating  safety? 

Although  the  loss  of  thrust  has  no  safety  consequences,  all  items 
whose  failure  involves  secondary  damage  fall  in  the  safety  branch  of 
the  decision  diagram  (see  Exhibit  8.5). 

Disks,  for  example,  are  subject  to  low-cycle  fatigue  failures,  and  when 
they  fracture,  any  fragments  that  cannot  be  contained  by  the  engine 
case  can  damage  the  nacelle,  wing,  or  fuselage.  Even  if  these  projectiles 
do  not  damage  the  aircraft  structure,  theie  is  the  hazard  of  hot  gases 
escaping  through  the  tom  engine  case.  Ejected  turbine  blades  present 
the  same  hazards,  Turbine-blade  failures  have  sometimes  occurred  with 
no  observable  effect  on  thrust  and  no  other  evidence  of  failure  (in  this 
case  failure-finding  inspections  are  necessary).  However,  they  have  also 
been  known  to  be  ejected  and  cause  critical  secondary  damage.  There 
is  no  way  of  knowing  whether  this  problem  has  been  overcome  in  the 
present  design,  so  in  the  interests  of  conservatism  the  blades  have  been 
included  ir.  this  class  of  items. 

The  next  step  is  iO  evaluate  proposed  scheduled-maintenance  tasks. 
A yes  answer  to  the  safety  question  means  that  no  task  can  be  con- 
sidered effective  unless  it  reduces  risk  of  a functional  failure  to  an  accept- 
able level.  From  this  point  on,  however,  we  must  examine  each  failure 
mode  separately,  because  the  applicability  of  a particular  task  will 
depend  on  the  failure  characteristics  of  the  part.  Our  next  question 
therefore  concerns  a possible  maintenance  task  for  the  disk: 

4 Is  an  on-i  /edition  task  to  detect  potential  failures  both  applicable 

and  effective? 

A low-cycle  fatigue  failure  begins  as  a slip  along  crystallographic  planes 
in  the  metal,  which  progresses  under  repeated  load  applications  until  a 
small  crack  eventually  becomes  visible.  After  this  point,  however,  the 
crack  propagates  very  rapidly  to  the  point  of  fracture.  Most  of  the  disks 
are  also  inaccessible  in  the  installed  engine;  thus  even  if  it  were  possible 
to  define  the  crack  as  a potential -failure  condition,  the  engine  would 
have  to  be  removed  and  disassembled  more  frequently  than  is  feasible. 
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EXHIBIT  8*5  The  branch  of  the  decision  diagram  used  for  analysis  of 
engine  failures  involving  critical  secondary  damage. 


A no  answer  to  the  on-condition  question  means  we  must  look  for 
other  tasks: 


5 Is  a rework  task  to  avoid  failures  or  reduce  the  failure  rate  both 
applicable  and  effective? 


The  conditional  probability  of  disk  failure  does  increase  at  an  identi- 
fiable operating  age,  However,  a rework  task  must  restore  the  item's 

orig-nal  resistance  to  failure.  Fora  part  subject  to  metal  fatigue  no  rework  SECTION  8-3  209 
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method  has  been  found  that  will  eliminate  the  material's  "memory"  of 
repeated  loads,  so  the  answer  to  the  rework  question  is  no. 
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6 Is  a discard  task  to  avoid  failures  or  reduce  the  failure  rate  both 
applicable  and  effective? 


Because  on-condition  inspections  are  not  applicable,  the  manufacturer 
has  established  a safe-life  limit  for  the  disk  in  each  stage  of  the  com 
pressor  and  the  turbine.  One  engine  manufacturer  uses  a computer 
model,  based  on  material  strength  tests  and  stress  calculations,  that 
simulates  the  in-service  aging  of  the  disk.  This  model  has  been  validated 
by  the  results  of  developmental  spin  testing  of  many  different  disks 
used  in  various  engine  designs.  The  safe-life  limit  determined  by  this 
technique  is  the  operating  age  at  which  one  disk  per  1,000  will  develop 
a crack  of  1/32  inch.  The  disks  are  designed  to  have  safe  lives  ranging 
from  10,000  to  20,000  hours,  and  these  are  the  intervals  that  will  be  used 
for  the  discard  tasks. 

The  answer  to  the  discard  question  is  yes,  and  the  analysis  of  this 
failure  mode  is  complete.  Each  type  of  disk  is  assigned  a discard  task 
scheduled  for  the  safe-life  limit  established  for  that  disk.  In  this  case 
an  on-condition  task  might  also  be  assigned  — an  inspection  for  any 
damage  that  might  prevent  attainment  of  the  safe-life  age,  to  be  per- 
formed whenever  the  disks  are  accessible  during  the  normal  course  of 
repair  work  on  the  engine. 

The  failure  process  in  turbine  blades  is  somewhat  different  from 
that  in  disks.  The  blades  are  in  a hot-gas  stream  that  exerts  ai  rodynamic 
forces  on  them.  The  forces  pulsate  as  the  blades  pass  by  the  stationary 
guide  vanes,  with  the  result  that  the  blades  are  also  subject  to  fatigue 
failure.  The  propagation  of  fatigue  cracks  in  blades,  however,  is  much 
slower  than  it  is  in  disks.  In  addition,  the  blades  are  subject  to  creep  and 
oxidation  caused  by  the  high  temperature  of  the  gases  and  to  erosion 
from  solid  particles  in  the  gas.  in  this  case  on-condition  inspection  is 
more  promising: 


4 Is  an  on-condition  task  to  detect  potential  failures  both  applicable 
and  effective? 


Potential  failures  can  be  defined  for  such  conditions  as  oxidation,  ero- 
sion, blade-root  wear,  and  fatigue  cracks;  therefore  an  on-condition  task 
is  applicable.  It  will  also  be  effective,  since  the  blades  can  be  inspected 
at  short  enough  intervals  to  ensure  that  potential  failures  will  preempt 
functional  failures.  Thus  the  answer  is  yes,  and  analysis  of  this  failure 
mode  is  complete. 


On-condition  tasks  for  the  blades  would  probably  be  specified  at 
two  levels -on  the  aircraft  and  in  the  shop.  For  example,  a boiescope 
inspection  of  all  turbine  blades  on  installed  engines  might  be  assigned 
at  an  initial  interval  of  150  operating  hours,  with  a "broomstick"  check 
of  the  fourth-stage  turbine  blades  for  looseness  scheduled  at  intervals 
of  300  to  400  hours.  In  addition,  as  part  of  the  opportunity-sampling 
program,  an  inspection  of  the  blades  for  creep,  heat  deterioration,  cracks, 
and  wear  at  the  roots  would  probably  be  scheduled  (nr  every  shop  visit 
of  the  engine,  with  a threshold  age  of  500  hours. 

Note  that  on  some  engines  the  first-stage  turbine  nozzle  guide 
vanes  would  also  fall  into  the  class  of  items  whose  failure  can  cause 
critical  secondary  damage.  The  nozzle  guide  vanes  on  the  JT3D  engine, 
described  in  Exhibit  8.3,  would  therefore  be  analyzed  through  the  safety 
branch  of  the  decision  diagram.  This  engine  has  a hollow  shaft  through 
which  an  isotope  pill  can  be  inserted  to  expose  radiographic  film  placed 
on  the  engine  case  at  the  outer  ends  of  the  vanes  The  exposed  film 
shows  the  amount  of  bowing  that  has  occurred,  and  also  the  remaining 
clearance  between  the  vanes  and  the  adjacent  turbine  blades.  Thus  an 
on-condition  task  is  applicable,  and  it  would  be  scheduled  at  intervals 
short  enough  to  prevent  all  critical  failures. 

In  the  engine  under  consideration  here  the  same  task  would  apply 
However,  the  JT8D  engine  has  been  designed  so  that  bowing  of  the 
nozzie  guide  vanes  will  cause  the  exhaust-gas  temperature  to  reach  the 
limit  before  the  vanes  reach  a state  in  which  they  can  intersect  the  tur- 
bine plane.  Thus  the  ultimate  effect  of  this  failure  mode  in  the  JT8D 
engine  is  a functional  failure  caused  by  engine  inefficiency,  rather  than 
a failure  with  critical  secondary  damage. 

FRACTURES  WITH  NO  CRITICAL  SECONDARY  DAMAGE 

The  second  class  of  powerplant  items  is  subject  to  fractures  that  do  not 
cause  critical  secondary  damage  (although  the  secondary  damage  is 
often  expensive).  Typical  items  in  this  class  are  the  towershaft  bearing 
and  the  towershaft  gears.  Failure  of  either  of  these  items  will  .esult  m 
inability  to  drive  the  engine-mounted  accessories,  including  the  fuel 
pump,  and  the  engine  will  flame  out.  We  know,  therefore,  that  the  fail- 
ure will  be  evident  to  the  operating  crew.  Since  a loss  of  thrust  is  not 
critical  and  this  class  of  failure  modes  has  no  critical  secondary  effects, 
we  also  know  that  there  are  no  safety  consequences. 

A no  answer  to  the  safety  question  brings  us  to  the  question  of  oper- 
ational consequences: 


3 Does  the  failure  have  a direct  adverse  effect  on  operational 
capability? 
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EXHIBIT  8-6  The  branch  of  the  decision  diagram  used  for  analysis  of 
engine  failures  that  do  not  involve  critical  secondary  damage. 


The  answer  to  this  question  is  yes,  because  any  failure  of  the  basic 
engine  function  has  operational  consequences.  Since  these  conse- 
quences are  economic,  scheduled  maintenance  is  desirable  if  it  is  cost- 
effective.  Hence  we  must  examine  all  applicable  tasks  on  this  basis  (see 
Exhibit  8.6). 

Bearing  and  gear  failures  are  caused  by  fatigue,  perhaps  accelerated 
by  inadequate  or  contaminated  lubrication.  The  failure  process  begins 


with  spalling  and  fine  cracks  on  the  bearings  and  wear  and  fine  cracks 
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surfaces,  and  when  the  integrity  of  the  hard  surface  has  been  lost,  com- 
plete disintegration  proceeds  rapidly. 


8 Is  an  on-condition  task  to  detect  potential  failures  both  applicable 
and  effective? 

In  some  cases  fragments  of  shed  metal  can  be  detected  by  inspection 
of  magnetic  plugs  and  oil  screens,  and  the  existence  of  these  metal  par- 
ticles can  be  defined  as  a potential  failure.  While  such  inspections  are 
applicable,  they  miss  a large  number  of  potential  failures.  They  are  cost- 
effective,  however,  because  the  discovery  of  even  one  potential  failure 
more  than  offsets  the  cost  of  years  of  such  inspections.  Thus  the  answer 
is  yes  for  these  tasks,  and  they  would  be  included  in  the  program. 

The  real  control  of  gear  and  bearing  failures  comes  from  on-condi- 
tion inspections  performed  when  the  engine  is  in  the  shop.  Visual 
inspection  of  the  balls,  rollers,  races,  and  gear  teeth  for  cracking,  wear, 
or  deformation,  using  10-  to  30-power  magnification,  has  been  found 
to  identify  most  potential  failures.  The  bearings  and  gears  are  put  in 
the  opportunity-sampling  program  to  establish  the  optimum  interval 
for  shop  inspections,  and  the  analysis  of  these  items  is  complete. 

FAILURES  CAUSED  BY  DETERIORATION 

Whereas  fractured  parts  can  cause  extensive  secondary  damage  — with 
or  without  safety  consequences  — a large  number  of  engine  failures  are 
the  result  of  deterioration  that  does  not  involve  the  fracture  of  any  part. 
When  some  part  of  the  engine  is  not  functioning  efficiently,  more  and 
more  throttle  is  required  to  attain  the  desired  thrust.  This  increases  the 
fuel  flow,  and  thus  the  exhaust-gas  temperature,  which  may  further 
accelerate  deterioration  of  the  parts  involved.  Eventually  one  of  the 
engine  operating  parameters,  usually  the  exhaust-gas  temperature,  will 
be  exceeded  before  the  desired  thrust  is  reached,  and  a functional  fail- 
ure of  the  engine  has  occurred.  Items  involved  in  this  class  of  failure 
modes  are  the  airseais,  compressor  blades,  combustion  chambers,  and 
in  this  engine  the  turbine  nozzle  guide  vanes. 

The  i eduction  in  engine  power  is  evident  to  the  operating  crew 
and  has  no  safety  consequences.  Such  failures  will  still  have  opera- 
tional consequences,  however,  because  the  engine  may  be  replaced 
after  the  airplane  lands.  Hence  analysis  of  the  items  in  this  category  also 
falls  in  the  operational-consequences  branch  of  the  decision  diagram, 
where  scheduled  maintenance  is  desirable  if  it  is  cost-effective. 

Compressor  blades  are  exposed  to  erosion  and  airseais  to  wear, 
causing  losses  in  aerodynamic  efficiency.  Since  the  burner  cans  and  the 
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EXHIBIT  8*7  A worksheet  showing  the  results  of  analysis  for  the 
primary  engine  function  of  the  Pratt  & Whitney  JT8D-7  powerplant. 

The  references  in  the  first  column  are  to  the  failure  modes  listed  for 
the  primary  engine  function  in  F hibit  8.4. 

POWUPLANT  DECISION  WOtKSHEET  type  of  aircraft  Boeing  727 

type  of  engine  Pratt  Sc  Whitney  JT8D-7 


item  name  Propulsion  powerplant 

responses  to  decision-diagram  questions 
ref.  consequences  task  selection 

FFFFM  1 2 3 4 5 6 7 8 9 10  11  12  13  14  15  16 
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page  1 of  2 
item  number 


prepared  by  T.  M.  Edwards 


reviewed  by  F.  S.  Nowlan 


proposed  task 


initial  interval 


Remove  and  discard  all  compres- 
sor and  turbine  disks  at  life  limit 

Borescope  inspection  cf  all 
turbine  blades 

Broomstick  check  of  fourth-stage 
turbine  blades  for  looseness 

Inspect  all  turbine  blades  for 
wear,  creep,  and  cracking 


Check  magnetic  plugs  and  screens 
for  metallic  particles 

Inspect  all  towershaft  and  drive- 
train  elements  for  wear,  deforma- 
tion, and  cracking 

Borescope  inspection  of  combus- 
tion chambers,  nozzle  guide  vanes, 
liners,  supports,  and  seals  visible 
through  hot-section  access  ports 

Borescope  inspection  of  seventh-  to 
thirteenth-stage  compressor  blades, 
stators,  spacers,  and  seals  visible 
through  compressor  access  ports 

Inspect  all  rotating  parts,  gas-path 
parts,  hot-section  parts,  and  main 
bearings  for  wear,  deformation, 
and  cracking 


Manufacturer's  safe-life  limit  for 
each  type  of  disk 

50  flight  cycles  or  150  hours, 
whichever  is  first 

300  to  400  hours 


During  engine  shop  visit;  use 
opportunity  sampling  to  establish 
best  frequency,  initial  threshold 
500  hours 

300  to  400  hours 


During  engine  shop  visit;  use 
opportunity  sampling  to  establish 
best  frequency,  initial  threshold 
500  hours 

50  flight  cycles  or  150  hours, 
whichever  is  first 


150  flight  cycles  or  450  hours, 
whichever  is  first 


During  disassembly  for  engine 
repair;  use  opportunity  sampling 
to  establish  best  frequency, 
initial  threshold  500  hours 
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heat  deformation.  All  these  deterioration  processes  occur  slowly  and  at 
a relatively  constant  rate,  a situation  which  favors  on-condition  inspec- 
tions: 


8 Is  an  on-condition  task  to  detect  potential  failures  both  applicable 
and  effective?  . , 


The  answer  is  yes  for  most  of  these  items,  such  as  compressor  blades, 
combustion  chambers,  and  nozzle  guide  vanes.  Their  condition  can  be 
ascertained  by  borescope  or  radioisotope  inspections  while  the  engine 
is  still  installed,  and  the  rate  of  deterioration  is  slow  enough  to  identify 
at  the  potential-failure  stage. 

Since  the  hot  section  usually  suffers  the  most  rapid  deterioration 
in  a new  engine,  borescope  inspections  might  be  scheduled  for  the 
combustion-chamber  outlets,  nozzle  guide  vanes,  and  surrounding 
liners,  supports,  and  seals  at  an  initial  interval  of  50  flight  cycles  or  150 
operating  hours,  whichever  comes  first/  Next  to  the  hot  section,  the 
high-pressure  compressor  has  the  highest  rate  of  deterioration.  Thus 
borescope  inspections  of  the  seventh-  to  thirteenth-stage  compressor 
blades  might  be  scheduled  for  an  initial  interval  of  150  to  200  flight 
cycles  or  450  to  600  operating  hours. 

In  addition  to  these  scheduled  inspections  on  installed  engines, 
most  of  the  rotating  parts,  gas-path  parts,  hot-section  parts,  and  bear- 
ings would  be  assigned  to  shop  inspection  of  opportunity  samples, 
with  an  initial  age  threshold  of  perhaps  500  hours.  During  these  inspec- 
tions the  dimensions  and  condition  of  each  part  are  compared  with  the 
“acceptable  for  service"  limits  established  by  the  manufacturer.  Parts 
that  have  deteriorated  beyond  these  limits  are  repaired  or  replaced  and 
parts  within  the  limits  are  returned  to  service. 

Note  that  taking  the  engine  out  of  service  because  the  exhaust-gas 
temperature  exceeds  a defined  limit  is  in  itself  a form  of  on-condition 
action,  since  this  limit  is  established  to  prevent  expensive  damage  to 
the  combustors,  turbine  blades,  vanes,  and  liners.  One  might  wonder, 
therefore,  why  additional  on-condition  tasks  are  directed  at  these  items. 
The  reason  is  that  increased  exhaust-gas  temperature  measures  the  total 
efficiency  of  all  gas-path  parts.  Thus  the  temperature  might  be  within 
the  limit  if  most  parts  were  in  good  condition,  even  if  one  part  — say, 
the  nozzle  guide  vanes -had  deteriorated  beyond  the  point  of  econom- 
ical repair.  In  the  interests  of  economy,  then,  it  is  better  to  inspect  the 
nozzle  guide  vanes  and  judge  them  by  their  individual  condition  than 
to  wait  for  the  temperature  to  reach  the  limit.  This  concept  becomes 
increasingly  important  for  in-service  engines,  which  are  composed  of 
parts  of  diverse  ages  as  a result  of  the  normal  repair  cycle. 

'These  low  initial  intervals  represent  the  practices  followed  in  the  mid-1960s. 


It  is  also  important  to  bear  in  mind  that  this  analysis  is  based  on  a 
redundant  engine  installation.  The  engine  is  one  of  three  in  a multi- 
engine  airplane.  If  this  engine  were  installed  in  a single-engine  air- 
craft, analysis  of  the  same  items  would  lead  to  completely  different 
results,  because  in  this  case  a loss  of  function  might  in  itself  constitute 
a critical  failure.  The  analysis  of  all  failure  modes  involving  a major  loss 
of  thrust  would  therefore  fall  in  the  safety  branch,  where  any  applicable 
tasks  would  be  scheduled  regardless  of  cost  effectiveness.  The  criteria 
for  task  applicability  would  remain  the  same,  however;  thus  scheduled 
rework  would  still  be  applicable  only  for  those  engine  parts  whose 
conditional-probability  curves  show  both  an  identifiable  wearout  age 
and  a high  probability  of  reaching  that  age  without  failure.  Since  an 
item  subject  to  numerous  failure  modes  rarely  satisfies  these  conditions 
(see  Section  2.8),  scheduled  rework  of  the  entire  engine  would  be  un- 
likely to  make  a significant  difference  in  its  operating  safety. 


8 • 4 FAILURES  OF  SECONDARY 
ENGINE  FUNCTIONS 


In  addition  to  the  basic  engine  function  of  providing  specified  thrust, 
three  secondary  functions  have  been  listed  for  the  Pratt  & Whitney 
JT8D  engine  under  consideration.  These  functions  and  their  associated 
functional  failures  and  failure  modes  are  listed  on  the  continuation 
worksheet  shown  in  Exhibit  8.8.  One  of  these  functions,  to  drive  the 
engine-mounted  accessories,  has  two  failure  possibilities:  inability  to 
drive  any  of  the  accessories  and  the  inability  to  drive  a particular  acces- 
sory. The  failure  modes  that  cause  a total  inability  to  drive  any  of  the 
accessories  are  associated  with  bearing  and  gear  failures  in  the  tower- 
shaft  drive  train,  discussed  in  the  preceding  section.  The  inability  to 
drive  individual  accessories  could  be  defined  as  a separate  functional 
failure  for  each  accessory.  From  the  standpoint  of  the  engine,  how- 
ever, we  can  consider  this  case  as  a single  functional  failure  with  several 
failure  modes. 

The  first  question,  as  before,  is  whether  failure  of  the  engine  to 
drive  some  one  of  the  accessories  will  be  evident: 


failure  to  drive  accessories 
failure  to  supply  pneumatic 
system 

failure  to  provide  reverse  thrust 


1 Is  the  occurrence  of  a failure  evident  to  the  operating  crew  during 
performance  of  normal  duties? 


The  performance  of  each  engine  accessory  is  monitored  by  means  of 
cockpit  instrumentation,  and  a malfunction  of  any  accessory  would  be 
evident  from  the  instrument  readings  (see  Exhibit  8.8).  Thus  the  answer 
to  this  question  is  yes  for  all  failure  modes. 
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EXHIBIT  8*8  Continuation  information  worksheet  for 
functions  of  the  Pratt  & Whitney  JT8D-7  powerplant. 


the  secondary 


CONTINUATION  WOCKSHIET  type  of  aircraft  Boeing  727 

type  of  engine  Pratt  * Whitney  JT8D-7 

item  number 

Item  name  Propulsion  powerplant 


^vendor  part/model  no.  JT8D-7 


\ functions 

2  To  drive  the  engine-mounted 
accessories 


functional  failures 

A Inability  to  drir>  any  engine 
accessory 


B Inability  to  drive  one  of  the 
engine  accessories 


3  To  provide  high-pressure  air 
to  the  pneumatic  system 


A Does  not  provide  sufficient 
bleed  air  (pneumatic  pressure) 


4  To  provide  reverse  thrust  for 
braking  assistance 


A Inability  to  provide  reverse 
thrust 


1 
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B Thrust  reverser  jammed 
during  reverse-thrust  sequence 


page  2 of  2 


no.  per  aircraft  3 

prepared  by 

T.  M.  Edwards 

date 

2/14/78 

section 

reviewed  by 

F.  S.  Nowlan 

date 

2/14/78 

module 

approved  by 

date 

1 


failure  modes 

1 Failure  of  main -gearbox  drive 


1 Failure  of  constant-speed-drive 
generator  splines 


2 Failure  of  hydraulic-pump  drive 
splines 


3 Failure  of  fuel-pump  drive 
splines  or  bearings 


4 Failure  of  oil-pump  drive 
bearings 

1 Burst  saddle  duct 


Bunt  pneumatic-actuator  supply 
« .ct 


1 Binding  due  to  wear  of 
mechanical  components 


failure  effects 

Instruments  show  no  output  from  any  accessory;  engine 
flameout;  pilot  will  abort  takeoff  if  prior  to  takeoff-refusal 
speed,  otherwise  will  land  at  nearest  suitable  airport;  engine 
change  required 

Instruments  show  no  output  from  one  generator;  crew  will 
disconnect  generator  from  constant-speed  drive  as  a 
precaution;  aircraft  '.an  be  dispatched  with  one  generator 
inoperative 

Instruments  show  no  pressure  from  one  pump;  crew  will 
disconnect  pump  for  completion  of  flight;  gearbox  or  engine 
change  required  at  destination 

Instruments  show  no  output  from  fuel  pump;  engine  flame- 
out, with  operational  effects  as  for  2 A 1;  gearbox  or  engine 
change  required 

Instruments  show  loss  of  oil  pressure,  requiring  engine 
shutdown;  operational  effects  as  for  2 A 1;  engine  change 
required 

Loss  of  some  pneumatic  pressure,  instruments  show  increased 
fiiel  flow,  exhaust-gas  temperature,  and  engine  speed;  heat 
damage  to  insulation  and  hoses,  with  probable  fire  warning 
resulting  in  engine  shutdown;  operational  effects  as  for  2 A 1; 
engine  change  required 

Instruments  show  thrust  reverser  inoperative,  loss  of 
braking  assistance  from  one  engine;  may  require  correction 
before  further  dispatch 

/ 

Instruments  show  thrust  reverser  active;  correction  required 
before  further  dispatch 


This  brings  us  to  the  question  of  possible  safe*”  consequences: 


2 **  „ ^,iu!  ! a loss  of  function  or  secondary  damage 

that  could  have  a di.--ct  adverse  effect  on  operating  safety? 


Failure  of  certain  of  the  accessory  drives,  such  as  those  for  the  fuel  pump 
and  the  oil  pump,  can  lead  to  complete  loss  of  thrust  from  the  engine, 
but  an  engine  shutdown  does  not  in  itself  affect  safety.  Recent  engines, 
including  this  one,  have  also  been  designed  so  that  accessory-drive  parts 
do  not  penetrate  the  case.  There  is  therefore  no  exposure  to  critical 
secondary  damage  from  these  failures,  and  the  answer  to  this  question 
is  no. 


3 Does  the  failure  have  a direct  adverse  effect  on  operational 
ca;  ability? 


The  airplane  usually  cannot  be  dispatched  when  one  of  the  engine- 
driven  accessories  is  inoperative  (this  information  would  appear  on 
the  information  worksheets  for  the  pertinent  systems  items).  If  the  pro- 
blem is  caused  by  a failure  of  the  internal  accessory  drive,  however, 
it  is  necessary  to  repair  or  replace  the  engine  before  further  dispatch. 
Thus  any  failure  of  the  accessory  drive  train  has  operational  conse- 
q 'ences,  and  scheduled  maintenance  is  desirable  if  it  is  cost-effective. 

To  ' aluate  proposed  tasks  we  must  consider  the  failure  process: 


8 Is  an  on-'  ^ndition  task  to  detect  potential  failures  both  applicable 
and  effective? 


Spline  wear  in  each  of  the  accessory  drive  trains  is  a major  source  of 
trouble,  and  we  know  that  on-condition  inspections  to  measure  spline 
wear  are  applicable.  Hence  the  answer  to  this  question  is  yes.  The 
accessory  drive  shafts,  gear,  and  bearings  are  assigned  to  the  shop 
opporvunity-sampling  program  to  determine  the  most  effective  inspec- 
tion interval;  in  addition,  the  splines  in  the  accessory  gear  box  are  sched- 
uled for  inspection,  on  the  aircraft  whenever  an  accessory  is  changed. 

The  third  function  of  the  engine  is  to  provide  high-pressure  air 
for  the  pneumatic  system,  a i one  failure  mode  is  a burst  bleed-air 
duct.  In  a powerplanl  analysis  we  would  be  concerned  with  the  duct- 
ing that  is  part  of  the  quick-engine-change  assembly;  this  includes 
the  sixth-,  eighth-,  and  thirteenth-stag.;  saddle  ducts.  Downstream  duct- 
ing is  analyzed  either  as  part  of  the  pneumatic  system  or  as  part  of  the 
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system  it  serves.  A burst  saddle  duct  in  any  of  these  stages  will  be  evi- 
dent to  the  operating  crew.  Cockpit  instrumentation  shows  the  pressure 
in  the  duct  to  the  cabin  air-conditioning  system,  but  hot  air  from  the 
duct  will  also  trigger  a fire  warning,  and  the  free  escape  of  bleed  air  will 
affect  engine  performance. 

Because  of  the  fire-warning  system,  tt.is  type  of  failure  is  not 
critical.  Although  hot  thirteenth-stage  bleed  air  may  bum  wiring  insula- 
tion and  char  hoses,  the  most  serious  effect  ic  the  need  to  shut  down 
an  engine  after  a fire  warning.  Such  a failure  does  have  operational 
consequences,  however,  since  the  airplane  cannot  be  dispatched  until 
the  burst  duct  is  repaired.  Thus  once  again  we  are  concerned  only  with 
the  cost  effectiveness  of  proposed  maintenance  tasks. 

Examination  of  the  failure  process  shows  that  stresses  in  the  duct 
lead  to  the  development  of  fine  cracks,  which  can  be  detected  by  on- 
condition  inspections.  Experience  with  earlier  equipment  has  shown 
that  such  inspections  will  not  identify  all  potential  failures.  However, 
this  task  can  be  performed  on  installed  engines  and  can  be  scheduled 
for  short  intervals.  An  on-condition  task  is  therefore  both  applicable 
and  cost-effective,  and  our  analysis  of  this  type  of  failure  is  complete. 

The  fourth  function  of  the  engine  is  to  provide  reverse  thrust  to 
assist  in  braking  the  airplane,  and  this  function  is  also  subject  to  two 
failure  possibilities:  either  the  reverser  will  not  operate  at  all  or  it  jams 
during  the  reversing  sequence.  The  only  predictable  mode  for  the  first 
type  of  failure  is  bursting  of  the  pneumatic  supply  duct  to  the  actuator, 
whereas  the  second  type  of  failure  can  be  caused  by  wear  in  many 
different  parts  of  the  mechanical  linkages.  The  cockpit  instruments 
include  a light  that  indicates  when  the  reverser  has  left  its  stowed  posi- 
tion and  is  in  transit  to  the  reverse-thrust  position.  Inability  of  the 
reverser  to  operate  is  therefore  evident. 

No  credit  is  given  to  availability  of  reverse  thrust  in  determining 
the  runway  lengths  required  for  landing  and  takeoff,  and  it  is  permis- 
sible to  dispatch  an  airplane  with  one  reverser  inoperative.  Thus  the 
failure  of  a reverser  is  not  considered  to  have  safety  consequences. 
The  reverser  does  have  great  value  in  certain  situations,  however,  such 
as  the  need  to  avoid  other  aircraft  on  the  runway  or  when  braking 
action  is  reduced  by  water  or  snow.  For  certain  destination  conditions 
the  operating  crew  may  request  that  all  reversers  be  operative  at  take- 
off. A reverser  failure  is  therefore  classified  as  having  operational  con- 
sequences, although  these  consequences  will  not  be  involved  under 
all  circumstances.  Inspection  of  the  pneumatic  supply  ducts  would  be 
scheduled  for  the  same  work  package  as  inspection  of  the  engine  pneu- 
matic ducts,  as  shown  in  Exhibit  8.9. 

| 

J The  second  type  of  failure,  jamming  of  the  reverser  in  the  reverse- 

, thrust  position,  is  also  evident,  since  there  is  a cockpit  warning  light 


4^ 
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EXHIBIT  8 ’9  A worksheet  sh<  in^  t'1  ’ results  of  analysis  for  the 
secondary  engine  functions  of  the  Pra  Sc  Whitney  JTP.D-7 
powerplant.  The  reference;,  in  the  first  colum  are  to  the  functions, 
functional  failures,  and  failure  modes  listed  in  Exhibit  8.8. 


POWIMANT  DECISION  WORKSHEET  type  of  aircraft  Boeing  727 

type  of  engine  Pratt  8k  Whitney  JT8D-7 

item  name  Propulsion  powerplant 

responses  to  decision-diagram  questions 
ref.  consequences  task  selection 

F FF  FM  1 it  3 4 5 i 7 8 9 10  11  12  13  14  15  16 

2  A 1 Y N Y Y 


2B  1 YNY — — Y 

2 B 2 YNY Y 
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3 B 4 YNY — — Y 


3  A 1 YNY Y 


4  A 1 YNY Y 


4  B 1 YNY-- Y 


222  APPLICATIONS 


prepared  by  T.  M.  Edwards 


page  2 of  2 
item  number 


reviewed  by  F.  S.  Nowlan 


proposed  task 


initial  interval 


Same  tasks  as  1 A 2 for  towershaft 
drive-train  elements 


Inspect  all  drive  shafts  for  spline 
wear 


Inspect  all  accessory  drive-train 
elements  for  wear  and  cracking 


Whenever  accessory  unit  is 
changed  or  is  accessible  during 
engine  shop  visit 

During  engine  shop  visit;  use 
opportunity  sampling  to  establish 
best  frequency,  initial  threshold 
500  hours 


Inspect  all  engine  pneumatic  100  to  200  hours 

ducts  for  heat  distress,  cracking, 
and  leaks 

Inspect  thrust  reverser  pneumatic  100  to  200  hours 
ducts  for  heat  distress,  cracking, 
and  leaks 


Inspect  thrust-revereer  linkages,  100  to  200  hours 

tracks,  and  actuator  mechanism 
for  wear  or  binding 


that  indicates  when  the  reverser  is  >n  this  position.  In  this  case  the 
failure  clearly  has  operational  consequences,  Wear  and  binding  in  the 
thrust-reverser  mechanism  are  signs  of  reduced  resistance  to  failure. 
On-condition  inspection  is  therefore  applicable  and  the  various  link- 
ages, actuators,  and  tracks  would  be  scheduled  for  inspection  at  the 
same  time  as  the  supply  ducts. 


8*5  THE  ROLE  OF  AGE  EXPLORATION 


sample-inspection  requirements 

the  opportunity-samplinn 
program 

age  exploration  anti  product 
improvement 


The  preceding  analysis  covers  only  a few  of  the  tasks  that  would  be 
included  in  an  initial  powerplant  program.  It  is  apparent  from  these 
examples,  however,  that  when  the  engine  itself  is  treated  as  a signifi- 
cant item,  the  parts  that  cause  it  to  fail  will  generally  be  assigned  only 
two  types  of  tasks.  Some  parts  whose  failure  could  cause  critical  second- 
ary damage  will  be  assigned  safe-life  discard  tasks,  but  most  parts  are 
assigned  on-condition  tasks,  often  as  part  of  an  ODportunity-sampling 
age-exploration  program. 

The  reason  no  failure-finding  tasks  were  assigned  has  to  do  with 
the  level  of  the  analysis.  The  fracture  of  a single  compressor  blade  or 
guide  vane  does  not  cause  a perceptible  reduction  in  engine  thrust 
and  since  it  also  may  not  result  in  any  secondary  damage,  the  failure  of 
individual  blades  and  vanes  may  not  be  evident  to  the  operating  crew. 
Viewed  from  the  parts  level,  each  of  these  failures  would  be  classified  as 
a hidden  functional  failure.  Similarly,  at  the  assembly  level  erosion  of 
these  parts  beyond  the  acceptable  limits  would  be  defined  as  a hidden 
failure,  since  this  condition  would  not  necessarily  be  apparent  from  the 
overall  exhaust-gas  temperature.  At  the  engine  level,  however,  these 
conditions  become  potential  failures  for  the  engine  itself,  and  in  both 
cases  on-conuition  tasks  have  been  specified.  The  periodic  inspections 
assigned  to  the  compressor  blades  and  the  nozzle  guide  vanes  would 
reveal  any  fractured  elements  as  well  as  other  forms  of  deterioration. 

Note  that  the  initial  program  also  contains  no  rework  tasks  for 
individual  items.  This  is  partly  because  there  is  no  information  at  this 
stage  to  support  their  applicability  and  partly  because  on  condition 
tasks  are  applicable  to  so  many  engine  parts.  After  the  equipment  enters 
service  the  abundance  of  opportunity  samples  results  in  a very  rapid 
accumulation  of  operating  data  on  engines.  Thus  the  applicability  and 
cost-effectiveness  of  rework  for  specific  items  can  be  established  by  the 
time  the  first  few  airplanes  in  the  fleet  reach  a proposed  rework  age. 
Even  when  age  exploration  does  show  that  certain  items  would  benefit 
from  scheduled  rework,  however,  the  intervals  at  which  such  tasks  are 
cost-effective  may  vary  widely  for  different  items.  Since  there  are  no 
rework  tasks  that  can  be  consolidated  into  a single  work  package  to  be 
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performed  at  some  specified  operating  age,  complete  rework  (scheduled 
overl  of  the  entire  engine  is  un!  ely  to  be  justified  at  any  point 
ii>  its  operating  life,  let  alone  in  an  initial  program. 

An  age-exploration  program  is  required  for  all  new  aircraft  engines. 
In  most  cases  the1  requirement  calls  for  the  inspection  of  sets  of  parts 
equivalent  to  two  or  three  complete  engines  before  any  installed  engine 
exceeds  a soecified  operating  age,  say,  1,500  hours.  The  use  of  oppor- 
tunity samples  from  eng:  tes  that  have  aged  to  a specified  lower  limit  — 
perhaps  50u  or  1,000  hours  — is  permitted  to  satisfy  this  requirement.  If 
there  are  not  enough  premature  removals  to  provide  the  required  sam- 
ples, it  may  be  necessary  to  remove  and  disassemble  engines  that  have 
reached  the  1,500-hour  limit  for  the  sole  purpose  of  inspecting  their 
parts.  After  the  condition  of  the  parts  is  evaluated,  the  upper  limit  for 
complete  sets  of  parts  may  be  extended,  say,  to  3,000  hours. 

The  requirement  for  whole-engine  samplinp  usually  dropped 
after  two  such  inspections,  but  there  will  be  conti.  ong  age  exploration 
for  certain  selected  items.  The  sampling  in  this  case  may  also  be  based 
on  two  threshold  limits  for  each  item.  The  inspection  information  is 
useful  in  assessing  the  effects  of  age  only  if  the  item  has  aged  to  the 
lower  limit.  With  this  type  of  program  any  units  of  the  item  that  have 
aged  to  the  upper  threshold  must  be  inspected  even  if  additional  dis- 
assembly of  the  engine  is  necessary  to  reach  them.  Such  units  are  termed 
forced  samples,  in  contrast  to  the  opportunity  samples  of  parts  available 
for  inspection  during  the  normal  course  of  disassembly.  Both  threshold 
limits  are  ordinarily  extended  after  two  or  three  samples  of  an  item  have 
been  inspected  and  found  to  be  in  satisfactory  condition. 

A newer  and  more  economical  variation  of  this  procedure  is  an 
age-exploration  plan  based  entirely  on  opportunity  sampling.  This  con- 
cept involves  a lower  threshold  limit  and  a sample  size  of  one  unit.  The 
first  opportunity  sample  whose  age  exceeds  an  initial  lower  limit  is 
inspected,  and  if  the  inspection  findings  are  satisfactory,  tne  age  of  this 
sample  unit  becomes  the  new  threshold  limit.  As  a result,  documented 
sample  information  increases  steadily  in  small  age  increments,  with  the 
age  of  the  olde;  l inspection  sample  roughly  parallel  at  all  times  to  the 
age  of  the  oldest  installed  engine  (see  Exhibit  5.9  in  Chapter  5).  It  is 
perferable  in  this  type  of  program  that  the  inspection  samples  not  be 
reworked  before  they  are  reinstalled  unless  their  condition  is,  judged 
unacceptable  for  continued  service.  In  this  way  t!  a time  since1  rework 
is  not  zeroed  out,  and  it  is  possible  for  sampling  to  proceed  rapidly  to 
units  of  higher  ages. 

At  some  age  the  condition  of  the  units  inspected  will  show  enough 
deterioration  to  identify  the  appropriate  intervals  for  first  and  repeat 
inspections  of  all  units  of  the  item.  In  this  case  the  condition  defined  as 
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Operating  age  since  last  shop  visit  (flight  hours) 


EXHIBIT  8*10  The  results  of  successive  age-reliabiiity  analyses  of 
the  Pratt  & Whitney  JT8D-7  engine  after  it  entered  service. 

(United  Airlines) 


equal  to  the  interval  between  successive  shop  visits  of  the  engine  (the 
mean  time  between  removals).  As  an  alternative,  the  sampling  threshold 
may  be  held  at  a fixed  age  limit  to  accumulate  more  information  on  the 
condition  of  parts  at  that  particular  age.  If  this  additional  information 
shows  that  a large  proportion  of  the  units  are  reaching  the  potential- 
failure  point  at  a fairly  well-defined  age,  a rework  task  might  be  as- 
signed to  that  item  — or,  depending  on  the  ratio  of  rework  cost  to  re- 
placement cost,  a discard  task  might  be  specified  for  a slightly  higher 
age. 

Exhibit  8.10  shows  the  results  of  successive  age-reliability  analyses 
conducted  as  part  of  the  age-exploration  activities  after  the  Pratt  & 
Whitney  JT8D  engine  entered  service.  Each  curve  represents  all  pre- 
mature removals,  both  those  resulting  from  on-condition  inspections 
and  those  resulting  from  crew-reported  malfunctions.  While  the  first 
few  curves  show  a very  high  conditional  probability  of  failure,  complete 
engine  overhauls  at  an  age  low  enough  to  affect  the  premature-removal 
rate  would  have  grounded  the  fleet  (engine  overhauls  take  about  45 
days).  If  the  data  had  been  partitioned  to  show  the  respective  contribu- 
tions of  potential  and  functional  failures  to  the  total  premature  removals, 
it  would  also  be  apparent  that  the  potential  failures  were  much  more 
age-related  than  the  functional  failures.  In  other  words,  on-condition 
inspections  were  effectively  removing  faulty  units  from  service  at  a 
much  earlie.  stage  than  would  have  been  feasible  with  any  rework  age 
226  applications  limit. 
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In  this  case  actuarial  analysis  of  the  premature-removal  data  iden- 
tified the  dominant  failure  modes,  which  were  in  the  hot  section  of  the 
engine,  and  redesign  of  the  parts  most  susceptible  to  rapid  heat  deteri- 
oration resulted  in  the  ultimate  reliability  shown  by  the  final  curves. 
Apart  from  the  fact  that  complete  engine  overhauls  would  have  repre- 
sented a needless  expenditure  on  the  other  sections  of  the  engine,  which 
were  in  excellent  condition,  they  would  have  impeded  improvement  of 
the  engine  itself.  If  all  parts  of  the  engine  had  been  zero-timed  at  fixed 
intervals,  there  would  have  been  no  means  of  determining  the  actual 
potential-failure  ages  of  individual  items  and  improving  the  inherent 
reliability  of  the  engine  accordingly.  In  the  powerplant  division  age 
exploration  in  fact  plays  a dual  role.  On  one  hand,  it  provides  a means 
of  determining  the  actual  maintenance  requirements  of  each  engine 
item,  and  on  the  other,  it  provides  the  information  necessary  to  improve 
the  overall  safety  and  operating  reliability  of  the  engine.  This  latter  role 
is  an  integral  part  of  the  development  process  for  any  new  engine. 


CHAPTER  NINE 


rcm  analysis  of  structures 


THE  STRUCTURE  division  consists  of  all  the  load-carrying  elements  of  the 
airplane.  These  include  not  only  the  basic  airframe  — the  fuselage,  wings, 
and  tail  assembly  — but  a variety  of  other  assemblies  and  components 
that  are  subjected  to  loads: 

► The  landing  gear  (except  brakes,  tires,  and  retraction  mechanisms) 

► Movable  flight-control  surfaces  and  high-lift  devices  (except  their 
associated  actuators  and  gearboxes) 

► Integral  fuel  tanks 

► Powerplant  pylons,  supports,  and  cowlings 

► The  aircraft  skin 

► Doors,  hatches,  windshields,  and  cabin  windows 

► Internal  partitions,  decks,  and  braces 

► Connecting  elements  such  as  brackets  and  clips 

Airplane  structures  are  subject  to  many  types  of  loads  during  operation  — 
gust  loads,  maneuvering  loads,  landing  loads.  The  magnitude  and  fre- 
quency of  these  loads  depend  on  the  nature  of  the  operating  environ- 
ment, although  in  general  low  loads  will  occur  frequently  and  peak  loads 
will  be  encountered  very  infrequently.  The  structure  must  therefore  be 
designed  in  terms  of  all  its  load  spectra  and  must  be  so  strong  that  it  is 
extremely  unlikely  to  encounter  any  load  it  cannot  withstand  during 
its  intended  type  of  operation.  The  role  of  scheduled  maintenance  is 
to  find  and  correct  any  deterioration  that  would  impair  this  load- 
carrying capability. 

Unlike  systems  and  powerplant  items,  few  failures  short  of  a critical 
228  APPLICATIONS  failure  will  be  evident  to  the  operating  crew.  The  ultimate  effects  of 
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most  functional  failures,  however,  have  a direct  impact  on  safety;  hence 
RCM  analysis  of  all  structurally  significant  items  falls  in  the  safety 
branch  of  the  decision  diagram.  In  this  case  there  are  only  two  task  out- 
comes: on-condition  inspections  for  all  items,  with  the  addition  of  a 
discard  task  for  safe-lite  elements.  The  focus  in  developing  a structure 
program,  therefore,  is  not  on  a search  for  applicable  and  effective  tasks. 
Rather,  it  is  on  determining  an  appropriate  inspection  interval  for  each 
item.  All  parts  of  the  structure  are  exposed  to  the  age-related  processes 
of  fatigue  and  corrosion,  but  these  processes  interact  and  are  not  entirely 
predictable.  Thus  even  for  an  airplane  that  embodies  well-known  mate- 
rials, design  practices,  and  production  processes,  the  intervals  assigned 
in  an  initial  program  are  only  a small  fraction  of  the  age  at  which  any 
evidence  of  deterioration  is  anticipated.  In  fact,  the  inspection  plan 
itself  merely  delineates  the  start  of  structural  age-exploration  activities. 


9 • 1 CHARACTERISTICS  OF 
STRUCTURAL  ITEMS 

The  structure  of  an  airplane  consists  of  numerous .dividual  assemblies.  design  strength 

As  an  integral  unit,  however,  it  performs  a variety  of  functions,  a few  of  *hc  fatigue  process 

which  can  be  defined  as  follows:  factors  that  affect  fatigue  life 

structurally  significant  items 

► To  enable  aerodynamic  lifting  forces  to  balance  the  weight  of  the 
airplane 

► To  provide  mounts  for  the  powerplants  that  produce  the  thrust 
necessary  to  balance  aerodynamic  drag 

► To  provide  movable  flight-control  surfaces  for  maneuvering  the 
airplane 
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► To  provide  the  means  (landing  gear)  for  making  a transition  from 
air  to  ground  operation 

► To  provide  volumes  for  carrying  fuel 

► To  provide  space  and  mounting  points  for  the  various  systems 
required  for  operating  capability 

► To  provide  space  with  a suitable  environment  (often  pressurized) 
for  the  operating  crew  and  the  payload  to  be  carried 

Loads  are  imposed  on  the  structure  during  the  performance  of  these 
functions,  and  if  any  major  assembly  cannot  withstand  them,  the 
structure  experiences  a functional  failure.  Thus  the  basic  function  of 
individual  assemblies  or  structural  members  is  to  withstand  the  loads 
imposed  on  them  without  collapsing  or  fracturing. 

Many  of  the  functions  listed  above  are  of  such  a nature  that  a func- 
tional failure  would  have  an  immediate  effect  on  operating  safety; 
hence  the  design  practices  followed  for  the  structure  ensure  that  failures 
are  extremely  unlikely.  Whereas  other  parts  of  the  aircraft  are  designed 
to  facilitate  reports  of  functional  failures  by  the  operating  crew,  the 
crew  will  rarely  be  in  a position  to  report  structural  failures  (although 
there  are  occasional  crew  reports  of  failed  landing  gear  and  high-lift 
devices). 

It  is  also  very  difficult  and  expensive  to  replace  parts  of  the  struc- 
ture. Systems  and  powerplant  items  are  continually  changed  through- 
out the  operating  life  of  the  aircraft;  hence  on  any  in-service  airplane 
these  items  are  likely  to  be  of  widely  varying  ages.  In  contrast,  structural 
elements  are  repaired,  often  by  the  use  of  doublers,  and  they  are  also 
modified,  but  they  are  rarely  replaced.  Consequently,  except  for  those 
parts  added  as  repairs  or  modifications,  nearly  all  parts  of  the  structure 
on  any  given  airplane  will  be  of  the  same  age.  Since  all  structural  ele- 
ments are  subject  to  a primary  failure  process  that  is  directly  related  to 
total  age,  the  structure  as  a whole  is  designed  to  a goal  of  failure  ages 
far  longer  than  the  expected  operating  life  of  the  airplane. 

DESIGN  STRENGTH 

Airplane  structures  are  designed  to  withstand  many  different  kinds  of 
loads,  such  as  those  caused  by  air  turbulence,  flight  maneuvers,  land- 
ings, and  takeoffs.  For  commercial  transport  airplanes  manufactured 
in  the  United  States,  each  of  these  load  requirements  is  defined  by  FAA 
airworthiness  regulations.  For  aircraft  operating  in  other  contexts,  load 
requirements  are  specified  either  by  the  appropriate  airworthiness 
authority  in  the  case  of  civil  aviation  or  by  the  purchasing  organization 
in  the  case  of  military  aviation.  Individual  design-load  requirements 
are  stringent  enough  to  ensure  that  a more  severe  load  situation  would 
be  extremely  improbable  in  the  operating  environment  for  which  the 


airplane  is  designed.  For  example,  one  of  the  load  requirements  for 
structures  in  the  commercial-transport  category  is  defined  as  follows:* 

25.341  Gust  Loads 

a The  airplane  is  assumed  to  be  subjected  to  symmetrical  vertical 
gusts  in  level  flight.  The  resulting  limit  load  factors  must  cor- 
respond to  the  conditions  determined  as  follows: 

1 Positive  (up)  and  negative  (down)  rough  air  gusts  of  66  fps 
at  VH  [the  design  speed  for  maximum  gust  intensity]  must 
be  considered  at  altitudes  between  sea  level  and  20,000  feet. 
The  gust  velocity  may  be  reduced  linearly  from  66  fps  at 
20,000  feet  to  38  fps  at  50,000  feet. 

2 Positive  and  negative  gusts  of  50  fps  at  Vr  [the  design  cruis- 
ing speed]  must  be  considered  at  altitudes  between  sea  level 

r.d  20,000  feet.  The  gust  velocity  may  be  reduced  linearly 
from  30  fps  at  20,000  feet  to  25  fps  at  50,000  feet. 

3 Positive  and  negative  gusts  of  25  fps  at  V„  [the  design  dive 
speed]  must  be  considered  at  altitudes  between  sea  level 
and  20,000  feet.  The  gust  velocity  may  be  reduced  linearly 
from  25  fps  at  20,000  feet  to  12.5  fps  at  50,000  feet. 

During  the  development  and  certification  of  any  new  aircraft  the 
manufacturer  conducts  numerous  tests  to  confirm  that  each  structural 
assembly  can  withstand  the  specified  design  loads  without  damage  or 
permanent  deformation.  Design  loads  with  this  objective  are  called  limit 
loads.  There  are  also  requirements  that  the  structure  be  able  to  with- 
stand at  least  150  percent  of  the  limit  load  without  collapsing  (experi- 
encing a functional  failure).  When  design  loads  are  factored  upward 
in  this  way  they  are  called  ultimate  loads.  The  present  airworthiness 
requirements  for  design  strength  have  been  effective  in  protecting 
against  functional  failures  as  long  as  the  specified  load-carrying  capa- 
bilities of  the  structure  are  preserved. 

After  the  airplane  enters  service  the  operating  organization  is 
responsible  both  for  preserving  the  design  strength  of  the  structure  and 
also  for  ensuring  that  the  operating  gross  weight  of  the  airplane  does 
not  exceed  the  maximum  weight  at  which  the  structure  can  satisfy  the 
various  load  requirements. 

THE  FATIGUE  PROCESS 

All  the  loads  to  which  an  aircraft  structure  is  subjected  are  repeated 
many  times  throughout  the  course  of  its  operating  life.  Although  any 
single  load  application  may  be  only  a fraction  of  the  load-carrying 
capability  of  the  element,  the  stress  imposed  by  each  one  reduces  the 

*t'riieral  Aviation  Rc/i illations.  Airworthiness  Standards:  Transport  Category  Airplanes, 
sec.  25.341,  effective  February  1,  19t>5. 
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EXHIBIT  91 1 Model  of  tne  effect  of  fatigue  on  the  strength  of  a 
single  structural  element  exposed  to  cyclic  loads. 


remaining  margin  of  failure  resistance.  Eventually,  as  a result  of  these 
cumulative  reductions,  a small  crack  will  appear  in  the  metal.  Until  the 
crack  reaches  the  stage  at  which  it  is  visible,  there  is  little  change  in 
the  strength  of  the  affected  element.  Thereafter,  as  internal  stresses 
cause  the  crack  to  propagate,  the  strength  of  the  element  is  reduced  at  an 
ever-increasing  rate. 

The  fatigue  process  thus  has  two  aspects.  Because  the  effects  of 
repeated  loads  are  cumulative,  as  the  operating  age  increases,  the  age 
interval  before  a crack  will  appear  decreases  - that  is,  there  is  a reduc- 
tion in  the  remaining  time  before  crack  initiation,  the  appearance  of  a 
visible  crack.  The  operating  age  at  which  a fatigue  crack  first  appears  in 
a structural  item  is  termed  the  fatigue  life  of  the  item.*  The  second  aspect 
is  the  reduction  in  the  strength,  or  load-resisting  capability,  of  the  item 
associated  with  crack  propagation.  Both  fatigue  life  and  the  rate  of  crack 
propagation  vary  not  only  with  the  material  from  which  the  item  is 
made,  but  also  with  its  size  and  shape  and  the  manufacturing  process 
by  vhich  it  was  produced.  For  this  reason  fatigue  tests  must  be  con- 
ducted on  actual  structural  elements  and  assemblies  to  determine  their 
individual  fatigue  characteristics. 

The  fatigue  process  in  a single  structural  element  is  illustrated  in 
Exhibit  9.1.  When  the  structure  is  new  the  element  can  withstand  an 
ultimate  load,  or  150  percent  of  its  design  limit  load.  As  the  element  ages 


*The  term  fatigue  life  is  also  used  to  denote  the  age  at  which  a fracture  occurs  as  a result 
of  fatigue.  In  this  discussion  fatigue  life  always  means  the  time  to  crack  initiation. 
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tXKIfllT  9*2  Model  of  the  effect  of  fatig  ie  on  the  strength  of  a 
r.’iUiple-ioad-path  (redundant)  structural  assembly  exposed  to 
v/ciic  loads. 


in  service  its  failure  resistance  (time  to  crack  initiation)  decreases  with 
repeated  load  applications  until  a fatigue  crack  appears.  Up  to  this  point 
its  load-resisting  capability  is  relatively  unchanged.  Now,  however, 
the  crack  will  propagate,  and  the  strength  of  the  element  will  decrease 
accordingly.  At  some  point  the  crack  will  reach  a length  at  which  the 
element  can  no  longer  withstand  the  limit  load;  it  then  becomes  a critical 
crack.  If  this  element  is  subjected  to  the  limit  load  it  will  fracture  imme- 
diately, but  even  when  the  continued  loads  are  much  lower  than  the 
limit  load,  the  rate  of  crack  growth  will  become  so  rapid  that  a fracture 
cannot  be  prevented  by  scheduled  maintenance. 

If  the  item  that  fractures  is  a monolithic  element  and  is  not  part  of 
a redundant  assembly,  this  functional  failure  is  usually  critical.  If  the 
item  is  one  element  of  a multiple-load-path  assembly,  the  fracture 
reduces  the  load-carrying  capability  of  the  assembly  but  does  not  result 
in  a complete  loss  of  function.  The  resulting  redistribution  of  the  load 
to  the  remaining  elements  does,  however,  accelerate  the  fatigue  process 
in  those  elements.  This  situation  is  illustrated  in  Fxhibit  9.2.  The  crack- 
ing or  fracture  of  the  first  element  reduces  the  residual  strength  of  the 
assembly.  After  this  the  load-carrying  capability  will  remain  relatively 
constant  until  a crack  initiates  in  a second  element,  which  results  in  a 
transition  to  a still  lower  residual  strength.  The  amount  of  reduction  in 
each  case  will  depend  on  the  contribution  of  each  element  to  the  total 
strength  of  the  assembly. 

The  difference  between  these  two  situations  has  led  to  two  basic 
structural-design  practices  to  prevent  critical  failures.  The  older,  and  SECTION  9*1  233 
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perhaps  better-known,  practice  is  safe-life  design,  which  applies  to 
structural  elements  with  little  or  no  redundancy.  A newer  practice  is 
damage-tolerant  (fail-safe)  design.  This  term  refers  not  only  to  redundant 
fail-safe  structure,  but  also  to  monolithic  portions  of  the  structure  char- 
acterized by  easily  detected  cracks  with  slow  propagation  rates.  A struc- 
tural assembly  is  said  to  be  damage-tolerant  if  after  the  complete  frac- 
ture of  any  one  element  it  can  still  withstand  the  damage-tolerant  loads 
specified  by  the  appropriate  airworthiness  authority.  A monolithic  item 
is  considered  damage-tolerant  if  the  rate  of  crack  propagation  is  slow 
enough  for  at  least  two  inspections  to  be  feasible  during  the  interval 
from  crack  initiation  to  a crack  of  critical  length. 

Suppose,  for  example,  that  the  specified  damage-tolerant  load  is 
the  design  limit  load  treated  as  an  ultimate  load.  This  means  that  in  its 
intact  condition  a structural  assembly  must  be  capable  of  withstanding 
the  limit  load  without  permanent  deformation,  whereas  after  the  failure 
of  one  of  its  elements  it  must  be  able  to  withstand  the  same  load  with- 
out a functional  failure.  This  specification  is  similar  to  the  requirement 
that  the  engines  on  a transport  airplane  provide  sufficient  residual  thrust 
for  safe  operation  after  a complete  loss  of  thrust  from  one  engine  (or, 
in  certain  situations,  from  two  engines).  The  residual  strength  after  a 
single  element  fails  is  lower  than  desired  for  continuous  operation. 
However,  it  is  still  so  high  that  the  airplane  is  unlikely  to  encounter 
dangerous  loads  during  the  time  that  will  pass  before  the  failed  element 
is  discovered  and  repaired.  The  concept  of  damage-tolerant  design 
depends,  of  course,  on  an  adequate  inspection  program. 

It  is  rare  for  the  failure  of  a single  element  to  reduce  residual  strength 
to  the  damage-tolerant  level  In  fact,  depending  on  the  degree  of  redun- 
dancy (number  of  load  paths),  the  failure  of  some  structural  elements 
has  little  effect  on  the  assembly.  Moreover,  the  design  strength  of  most 
elements  is  determined  by  the  single  highest  load  requirement,  such 
as  that  for  landing  loads,  and  their  contribution  to  the  strength  of  the 
assembly  may  be  less  under  other  loading  conditions.  The  appearance 
of  a fatigue  crack  in  an  element  can  therefore  be  defined  as  a potential- 
failure  condition,  and  since  even  the  fracture  of  a single  element  is  not 
critical,  on-condition  inspections  will  be  effective  at  intervals  short 
enough  to  ensure  that  not  more  than  one  element  will  fracture. 

Most  modem  aircraft  employ  damage-tolerant  design  principles  as 
widely  as  possible,  but  there  are  some  parts  of  the  structure,  such  as  the 
landing  gear,  for  which  the  criteria  for  damage  tolerance  cannot  be  met. 
Consequently  it  is  necessary  to  impose  safe-life  limits  on  these  ele- 
ments. Since  fatigue  is  directly  related  to  total  operating  age,  the  limit 
is  based  on  tests  conducted  to  simulate  operating  loads  in  order  to  deter- 
mine the  fatigue  life  (time  to  crack  initiation)  for  each  element.  Although 
a safe-life  discard  task  based  on  such  fatigue  tesfs  is  applicable,  it  can- 
not be  considered  effective  in  the  case  of  structural  elements  because 
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they  are  exposed  to  other  deterioration  processes  that  may  prevent  the 
safe-life  limit  from  being  achieved.  Hence  any  safe-life  structural  items 
must  be  supported  by  a combination  of  tasks  - on-condition  inspections 
for  corrosion  and  accidental  damage  and  a safe-life  discard  task  to  ensure 
that  the  item  is  removed  from  service  before  a fatigue  failure  can  occur. 

The  replacement  of  safe-life  items  and  the  repair  of  fatigue  damage 
in  other  structural  elements  is  both  time-consuming  and  very  expen- 
sive. Thus  for  economic  reasons  as  well  as  safety  reasons,  the  structure 
of  an  aircraft  is  designed  for  high  safe-life  limits,  and  also  for  a long 
fatigue  life.  The  design  goal  for  the  Douglas  DC- 10,  for  example,  was 
a mean  fatigue  life  (to  crack  initiation)  of  120,000  hours  for  the  structure 
as  a whole,  with  the  expectation  that  any  individual  airplane  would  be 
free  of  any  fatigue  problems  up  to  60,000  hours. 


FACTORS  THAT  AFFECT  FATIGUE  LIFE 

The  primary  deterioration  process  in  structure  is  fatigue.  However,  the 
integrity  of  the  structure  is  ...  so  threatened  by  manufacturing  imperfec- 
tions, accidental  damage,  overloads  during  operation,  and  corrosion. 
All  these  factors  can  have  a direct  effect  on  structural  strength  and  can 
also  accelerate  the  fatigue  process  itself.  The  age  at  which  fatigue  cracks 
first  appear  in  a given  structural  item  may  therefore  vary  widely  from 
one  airplane  to  another,  and  structural  inspections  must  begin  long 
before  the  age  at  which  fatigue- test  data  indicate  that  a fatigue  crack  can 
be  expected. 

One  well-recognized  manufacturing  problem  is  assembly-induced 
preload,  a condition  caused  by  design,  fabrication,  or  assembly  errors. 
Exhibit  9.3  shows  an  example  of  a preload  condition  in  an  angle  splice. 
In  this  case  a missing  chamfer  allows  the  edge  of  the  angle  to  gouge 
into  the  radius  of  the  chord  piece.  When  the  horizontal  joint  is  drilled 
and  bolted  without  proper  shimming,  a further  effect  is  deformation 


EXHIBIT  9*3  Example  of  a preload  condition.  Although  the  discovery 
of  this  condition  on  one  airplane  prompted  an  immediate  inspection 
of  the  entire  fleet,  only  a few  cases  of  preload  were  actually  found. 


Bulkhead  chord 
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Proper  chamfer 


Missing  chamfer 


Deformation  due  to  preload 
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of  the  pieces.  The  result  is  either  radial  cracking  at  the  joint  or  a splice 
with  such  high  imposed  loads  that  it  is  highly  susceptible  to  any  small 
additional  loads.  In  either  case  the  residual  strength  of  the  assembly 
containing  this  chord  and  splice  will  deteriorate  in  a fraction  of  its  in- 
tended design  life.  Fortunately  the  existence  of  a preload  condition  is 
usually  detected  early  in  the  age- exploration  process,  but  its  discovery 
necessitates  immediate  inspection  of  the  entire  fleet  to  locate  all  defec- 
tive units. 

In  addition  to  localized  problems,  all  parts  of  the  structure  are 
exposed  to  corrosion , the  deterioration  and  ultimate  destruction  of  a 
metal  by  its  environment.  There  are  many  different  forms  of  corrosion, 
ranging  from  simple  oxidation  to  electrolytic  reactions.  Like  fatigue, 
corrosion  is  age-related.  It  is  not  nearly  so  predictable,  however,  since 
metals  corrode  at  rates  that  depend  on  a complex  of  environmental 
conditions  and  maintenance  practices.  Corrosion  damage  has  a partic- 
ularly adverse  effect  on  structural  strength.  Unless  it  is  detected  at  an 
early  stage,  the  localized  loss  of  material  will  reduce  the  load-carrying 
capability  of  the  portion  of  the  structure  affected,  and  the  resulting 
increase  in  stress  levels  will  accelerate  the  fatigue  process  in  the  remain- 
ing metal. 

Most  types  of  corrosion  are  observable  as  surface  deterioration 
which  results  in  a measurable  reduction  in  the  cross  section  of  the  ele- 
ment. Stress  corrosion,  however,  is  more  difficult  to  detect.  This  form 
of  corrosion  is  caused  by  the  combined  effects  of  environment  and 
sustained  or  cyclic  tensile  stress,  and  it  can  lead  to  the  spontaneous 
collapse  of  the  metal  with  no  macroscopic  signs  of  impending  failure. 
Stress  corrosion  develops  as  fine  intercrystalline  or  transcrystalline 
cracks  in  the  metal  itself.  Since  there  may  be  no  external  evidence  of 
deterioration,  we  must  rely  on  such  nondestructive  techniques  as  eddy- 
current  inspection  to  detect  this  condition.  In  a moist  environment 
stress-corrosion  cracking  can  occur  under  stresses  much  lower  than 
the  yield  stress  of  the  material.  The  problem  is  most  common  in  high- 
strength  aluminum  alloys  that  have  been  strengthened  by  heat-treating. 
It  can  be  caused  by  improper  heat  treatment,  a poor  choice  of  materials 
for  a particular  set  of  conditions,  or  the  lack  of  adequate  protective 
coatings.  In  some  cases  it  may  also  be  caused  by  the  sustained  stress 
created  by  preload  conditions. 

Generally  the  areas  that  are  exposed  to  dirt,  moisture,  and  heat  are 
the  most  susceptible  to  corrosion,  and  properly  applied  and  maintained 
protective  coatings  are  necessary  to  prevent  deterioration.  Particularly 
short  inspection  intervals  are  required  in  such  corrosion-prone  areas 
as  fuselage  bilges,  the  areas  under  lavatories  and  galleys,  and  cargo 
pits  to  check  for  incipient  corrosion  and  restore  any  deteriorated  pro- 
tective coatings. 


STRUCTURALLY  SIGNIFICANT  ITEMS 

Nearly  all  parts  of  an  airplane  structure  are  inspected  at  one  time  or 
another,  both  to  preserve  the  design  strength  of  the  structure  and  be- 
cause deterioration  detected  in  its  early  stages  is  relatively  inexpensive 
to  repair  Because  of  the  cost  and  difficulty  of  replacing  failed  struc- 
tural men.oers,  most  such  items  might  be  viewed  as  significant  on  the 
basis  of  economic  consequences.  However,  the  primary  consideration 
in  determining  structural  significance  is  the  effect  that  failure  of  an 
element  has  on  the  residual  strength  of  the  remaining  assembly  and  on 
the  functional  capability  of  the  overall  structure.  Thus  safe-life  elements 
and  damage-tolerant  monolithic  elements  are  classified  as  significant 
because  their  failure  would  lead  to  a complete  loss  of  function  of  a major 
assembly  either  immediately  or  in  the  near  future.  Many  elements  of  a 
damage- tolerant  assembly  will  also  be  classified  as  significant,  depend- 
ing on  their  contribution  to  the  strength  of  the  assembly  and  the  signifi- 
cance of  the  assembly  to  the  overall  structure. 

The  generic  term  structurally  significant  item  (SSI)  is  used  to  denote 
each  specific  structural  region  that  requires  scheduled  maintenance  as 
part  of  an  RCM  program  to  guard  against  the  fracture  of  significant 
elements.  Such  an  item  may  be  defined  as  a site  which  includes  several 
elements,  it  may  be  defined  as  the  significant  element  itself,  or  it  may 
be  defined  in  terms  of  specific  regions  on  the  element  which  are  the 
best  indicators  of  its  condition.  In  this  sense  a structurally  significant 
item  is  selected  in  much  the  same  way  as  a functionally  significant  item, 
which  may  be  a system,  a subsystem,  an  assembly,  or  a significant  part 
in  an  assembly. 

During  the  selection  of  structurally  significant  items  consideration 
is  also  given  to  the  susceptibility  of  various  parts  of  the  structure  to 
corrosion  and  accidental  damage.  Thus  the  relative  ranking  of  signifi- 
cant items  takes  into  account  not  only  the  effect  of  the  item's  failure,  but 
i also  how  soon  a particular  item  is  likely  to  cause  problems.  Conse- 

quently, although  significant  items  are  often  defined  in  terms  of  specific 
stress  points,  such  as  the  joint  between  two  structural  members,  an 
entire  area  that  is  exposed  to  moisture,  and  hence  to  corrosion  problems, 
may  also  be  classified  as  significant.  In  this  case  specific  stress  points 
within  the  area  might  be  designated  as  separate  items  on  the  basis  of 
fatigue  factors.  Sometimes  different  surfaces  of  the  same  structural 
element  are  designated  as  separate  items,  especially  if  different  access 
i routes  are  required  to  perform  the  inspections. 

In  the  development  of  a prior-to-service  program  the  manufacturer 
provides  the  initial  designation  of  structurally  significant  items,  since 
; at  that  time  he  is  the  only  one  in  a position  to  identify  safe-life  and 

, damage-tolerant  monolithic  items,  the  effect  of  a failed  element  on  the 

strength  of  damage-tolerant  assemblies,  and  the  expected  fatigue  life 
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and  crack-propagation  characteristics  of  each  structural  element.  Al- 
though the  numbering  schemes  differ  from  one  manufacturer  to  another, 
significant  items  are  usually  identified  on  the  basis  of  a three-dimen- 
sional reference  system  that  shows  their  exact  physical  location  by 
section  or  station  or  within  a designated  zone. 

All  structurally  significant  items  are  subjected  to  detailed  inspections. 
Many  of  these  inspections  are  visual,  but  they  must  be  performed  at 
close  range  and  require  special  attention  to  small  areas,  such  as  a check 
for  corrosion  in  bolt  holes.  Others  may  entail  the  use  of  special  equip- 
ment, such  as  .v-ray  or  eddy-current  devices.  In  addition  to  these  detailed 
inspections,  many  items  also  receive  frequent  general  inspections,  visual 
checks  for  any  obvious  problems,  which  require  no  tools  or  disassembly 
other  than  the  opening  of  quick-access  doors.  These  latter  inspections 
are  performed  as  part  of  the  preflight  walkaround  checks,  the  zonal  pro- 
gram, and  general  external  inspections,  which  include  nonsignificant 
portions  of  the  structure  as  well.  Thus,  although  the  RCM  structural 
program  includes  only  those  items  designated  as  structurally  signifi- 
cant, every  aspect  of  the  structure  is  examined  at  one  time  or  another  to 
ensure  that  any  signs  of  fatigue,  corrosion,  or  accidental  damage  will 
be  detected  in  their  early  stages. 


9*2  THE  STRUCTURAL  INSPECTION  PLAN 


external  anti  internal  structure 
structurally  significant  items 
structural  rating  factors 
class  number 
relative  inspection  intervals 
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The  structure  of  an  airplane  is  exposed  to  random  damage  from  contact 
with  loading  or  other  ground  equipment  and  from  foreign  objects  such 
as  stones  or  ice  on  runways  and  bird  strikes  during  flight.  It  is  also 
subject  to  occasional  severe  loads  during  operation  as  a result  of  air 
turbulence  or  hard  landi  ngs.  However,  the  chief  causes  of  deterioration 
(a  reduction  >n  failure  resistance)  are  fatigue  and  corrosion,  both  of 
which  are  age-related.  Fatigue  is  related  to  the  total  operating  age  of  the 
structure,  and  corrosion  is  a function  of  the  time  since  corrosion  damage 
was  last  repaired  and  antico  rosion  treatments  were  renewed.  The  ob- 
jective of  the  structural  inspection  plan  is  to  find  and  correct  any  deteri- 
oration of  those  items  of  greatest  significance  to  the  structural  integrity 
of  the  airplane,  and  to  collect  information  on  the  aging  characteristics  of 
less  significant  items  by  inspections  of  a sample  of  the  fleet.  The  sampling 
information  may,  of  course,  lead  to  inspection  of  certain  items  on  every 
airplane  as  evidence  of  these  characteristics  begins  to  appear. 

Because  deterioration  in  its  early  stages  is  relatively  inexpensive 
to  repair,  it  is  cost  effective  to  inspect  many  structural  items  far  more 
frequently  than  would  be  required  solely  to  protect  the  airworthiness 
of  the  airplane.  General  inspections  of  the  external  structure,  for  exam- 
ple, are  scheduled  very  frequently  because  they  can  be  performed 
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quickly  and  easily.  External  structural  items  are  those  portions  of  the 
structure  that  can  be  seen  without  removing  any  covering  items  or 
opening  any  access  doors.  These  general  inspections  will  detect  not 
only  accidental  damage,  but  also  any  external  signs  of  inte'-ial  deteri- 
oration, such  as  discoloration,  popped  rivets,  buckled  r and  fuel 
leaks.  This  external  evidence  is  often  a specificdesign  feat.  in  damage- 
tolerant  structure,  and  the  ease  of  external  inspections  makes  it  practical 
and  safe  to  lengthen  the  inspection  intervals  for  the  internal  items 
themselves. 

Any  part  of  the  structure  that  is  not  visible  externally  is  termed  an 
internal  structural  item,  Internal  items  are  more  difficult  to  inspect.  Some 
require  only  the  opening  of  quick-access  doors,  but  others  require  the 
removal  of  floorboards,  linings,  and  insulation  or  the  disassembly  of 
other  parts  of  the  structure  or  of  the  aircraft  systems.  Internal  significant 
items,  like  external  one  , receive  detailed  inspections.  However,  whereas 
external  inspections  a/e  performed  on  every  airplane,  some  internal 
inspections  are  performed  on  only  a portion  of  the  fleet.  In  the  power- 
plant  division  age  exploration  of  interna)  engine  items  is  based  on  a 
continual  flow  of  engines  through  he  repair  shop,  but  structure  does 
not  provide  such  opportunity  samples— portions  removed  and  sent  to 
the  shop  while  the  airplane  remains  in  service.  Thus  the  inspection  pro- 
gram itself  is  the  only  vehicle  forage  exploration. The  intervals  assigned 
in  an  initial  program  therefore  represent  only  a fraction  of  the  ages  at 
which  any  signs  of  deterioration  are  expected  and,  in  effect,  merely  de- 
fine the  start  of  age  exploration  for  each  item. 

The  current  practice  in  developing  an  initial  structure  program  is 
based  on  a rating  scheme  that  makes  full  use  of  the  designer's  infor- 
mation and  the  manufacturer's  test  data  for  the  various  structural  ele- 
ments. The  first  consideration  is  whether  the  portion  of  the  structure 
in  question  is  a structurally  significant  item.  If  so,  it  will  be  assigned 
a detailed  inspection  task,  but  the  frequency  of  inspection  will  depend 
on  further  considerations.  If  the  item  is  on  the  underside  of  the  airplane, 
which  is  particularly  susceptible  to  accidental  damage,  it  will  be  in- 
spected more  often  than  one  on  the  upper  surface.  The  inspection  inter- 
vals for  damage-tolerant  items  will  be  longer  in  general  than  those  for 
safe-life  elements.  In  this  case,  however,  the  interval  for  internal  items 
will  depend  on  whether  a damage-toleram  assembly  has  been  designed 
to  provide  external  evidence  of  internal  damage.  The  general  relation- 
ship of  these  considerations  is  diagrammed  in  Exhibit  9.4. 

The  starting  point  for  the  development  of  a structure  program  is  a 
list  of  structurally  significant  items.  Not  all  these  items  will  be  of  the 
same  significance.  The  failure  of  some  redundant  elements,  for  example, 
will  cause  a much  greater  reduction  in  residual  strength  than  the  failure 
of  others.  Moreover,  the  test  data  on  fatigue  life,  as  well  as  differences 
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in  susceptibility  to  corrosion  and  accidental  damage,  will  usually  indi- 
cate that  inspection  of  all  items  need  not  start  at  the  same  operating  age. 
To  determine  an  appropriate  interval  for  each  item,  therefore,  it  is 
necessary  to  assess  the  following  design  characteristics: 

► The  effect  of  failure  of  the  item  on  residual  strength 

EXHIBIT  9-4  A plan  foi  inspection  of  the  complete  structure. 


Is  this  portion  of  the  structure 
a structurally  significant  item? 


S1KUCTUBULY  SIGNIFICANT  n£M  NONSIGNIFICANT  STRUCTURAL  ITEM 

Receives  detailed  inspection  under  Receives  general  inspection  as  part 


► The  anticipated  crack-free  life  (fatigue  life)  of  the  item 

► The  crack-propagation  characteristics  of  the  item 

► Susceptibility  of  the  item  to  corrosion 

► Susceptibility  of  the  item  to  accidental  damage 

These  five  factors  are  used  to  develop  inspection  ratings  for  each  item, 
and  the  ratings  are  then  transformed  into  a class  number  that  identifies 
the  appropriate  relative  interval. 

To  illustrate,  suppose  the  item  is  an  internal  structural  element  in 
a damage-tolerant  assembly.  The  first  step  is  to  rate  each  of  the  five 
factors  independently  or  a scale  of  1 to  4,  as  outlined  in  Exhibit  9.5. 
This  scale  keeps  the  nu  nber  of  choices  small,  but  cdso  avoids  a middle 
value,  which  would  tfnd  to  be  overused.  Note  that  the  ratings  for  fa- 
tigue life  and  crack  propagation  for  an  internal  item  may  be  increased 
by  1 u there  is  external  evidence  of  the  item's  failure.  This  does  not 
apply  to  corrosion  ratings,  however,  since  the  objective  is  to  inspect 
often  enough  to  prevent  corrosion  damage  from  reaching  the  stage  at 
which  it  would  be  evident  externally.  Nor  does  it  apply  to  accidental 
damage.  Thus  this  particular  internal  item  might  be  rated  as  having 
very  little  effect  on  the  residual  strength  of  the  assembly  (4),  moderate 
fatigue  life  (2  + 1 = 3),  rapid  crack  growth  (1  + 1 = 2),  moderate  suscepti- 
bility to  corros  n (2),  and  very  little  exposure  to  accidental  damage  (4). 

The  procedure  for  safe-life  items  is  similar,  except  that  these  items 
are  rated  for  only  two  factors:  corrosion  and  exposure  to  accidental 
damage.  A funch  anal  failure  (fracture  of  the  item)  would  reduce  the 


EXHIBIT  9*5  Rating  scales  for  the  five  factors  that  determine 
structural  inspection  intervals.  Each  structurally  significant  item  is 
ranked  on  a scale  of  1 to  4 for  each  of  the  factors  that  apply.  The 
lowest  of  these  rankings  represents  the  class  number  assigned  to 
that  item. 


reduction  in 
residual  strength 

fatigue 

life* 

crack 

propagation* 

susceptibility  to 
corxoeion 

susceptibility  to 
accidental  damage 

rating 

Large 

Short 

Rapid 

High 

High 

1 

Moderate 

Modi  tun 

Moderate 

Moderate 

Moderate 

2 

flwsall 

Long 

Slow 

Low 

Low 

3 

Very  mail 

Very  long 

Very  alow 

Very  low 

Very  low 

4 

'Th  m two  rating*  for  an  internal  Item  may  be  increased  by  1 if  there  U external 
evidence  of  fail  tue  or  potaotk  tail  ore. 
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1 residual  strength  to  zero,  and  crack  propagation  is  not  a consideration 

because  a safe-life  item  cannot  be  allowed  to  reach  the  point  of  crack 
initiation.  If  it  were  feasible  to  define  a crack  as  a potential  failure  and 
depend  solely  on  on -condition  inspections  to  ensure  removal  of  the 
item  before  the  crack  reached  critical  length,  the  item  would  have  been 
classified  as  damage-tolerant  instead  of  safe-life. 

While  the  ratings  are  clearly  a matter  of  judgment,  they  make  the 
best  possible  use  of  the  information  that  is  available  at  the  time.  For 
example,  in  assessing  tne  reduction  in  residual  strength  caused  by  the 
fracture  of  a single  element,  consideration  must  be  given  not  only  to 
the  role  of  the  element  in  relation  to  the  load-carrying  capability  of  the 
assembly,  but  also  to  the  role  of  the  assembly  itself  in  relation  to  the 
overall  structure  From  the  standpoint  of  the  assembly,  one  determining 
factor  is  tl  e number  of  elements  at  the  same  site  that  can  fail  before 
damage-tolerant  capability  is  lost.  The  reduction  is  rated  as  major  if 
the  failure  of  a second  element  would  leave  the  assembly  incapable  of 
supporting  the  damage-tolerant  load;  it  would  be  rated  as  moderate  if 
the  failure  of  two  elements  could  be  tolerated,  and  if  the  loads  originally 
carried  by  the  two  elements  were  of  the  same  order  of  magnitude.  Alter- 
natively, the  ratings  can  be  based  on  the  percentage  of  loss  in  residual 
strength  caused  by  the  fracture  of  structural  elements.  For  example,  if 
the  failure  of  two  elements  can  be  tolerated,  a rating  of  2 would  be  used 
if  these  failures  reduce  the  margin  between  the  ultimate  and  damage- 
tolerant  strength  by  75  percent;  a reduction  of  50  percent  would  be  rated 
as  3,  and  a reduction  of  25  percent  would  warrant  a rating  of  4. 

In  assessing  fatigue  Hie  and  crack-propagation  characteristics  the 
working  group  would  consider  whether  or  not  the  item  had  undergone 
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reduction  in  residual  strength 

no.  of  elements  that  can  fail 
without  reducing  strength 
below  damage-tolerant  level  rating 


fatigue  life  of  element 

ratio  to  fatigue-life 

design  goal  rating 


One 

1 

Lees  than  1 

1 

Two  or  more 

2 

1-lVi 

2 

Two  or  more 

3 

lVa-2 

3 

Two  or  more 

4 

More  than  2 

4 

k it. 


fatigue  and  crack-propagation  tests  (if  not,  all  the  ratings  would  be 
lower),  whether  the  loads  applied  to  the  test  items  are  representative 
of  the  expected  operating  loads,  and  the  results  of  the  test  in  relation  to 
the  fatigue-life  goal  for  the  airplane.  In  making  corrosion  ratings  they 
would  consider  previous  experience  with  the  anticorrosion  treatments 
used  in  manufacture,  the  type  of  environment  in  which  the  equipment 
will  be  operated,  and  any  specific  problems  related  to  the  location  of 
the  item  in  the  equipment.  Operation  in  a hot,  humid  environment  close 
to  salt  water,  for  exampk  . would  affect  corrosion  ratings  for  the  entire 
structure.  In  commercial  aircraft  those  structural  items  adjacent  to  the 
cargo  pits,  galleys,  hot-air  ducts,  and  lavatories  are  particularly  sus- 
ceptible to  corrosion.  Susceptibility  to  corrosion  is  difficult  to  rate, 
since  corrosion  is  a function  of  the  operating  environment,  and  for  some 
types  of  equipment  evidence  of  corrosion  might  be  acceptable  at  much 
lower  ages  than  it  is  for  transport  aircraft.  Similarly,  the  susceptibility 
of  an  item  to  accidental  damage  will  range  from  high  for  external  items 
exposed  to  foreign  objects  on  runways  to  low  for  internal  areas  subject 
to  little  traffic  from  maintenance  personnel. 

One  way  of  rating  the  fatigue  life  and  crack-propagation  charac- 
teristics of  an  item  is  in  terms  of  the  fatigue-life  design  goal  for  the 
structure  as  a whole.  The  design  goal  for  the  Douglas  DC-10,  for  exam- 
ple, was  an  average  fatigue  life  of  120,000  hours  to  crack  initiation  (about 
40  years  of  airline  service,  or  two  operating  lifetimes).  An  individual 
item  with  an  expected  fatigue  life  of  less  than  120,000  hours  would  be 
rated  1 for  fatigue  life,  an  item  with  an  expected  fatigue  life  of  120,000 
to  180,000  hours  would  be  rated  2,  and  so  on.  The  ratings  for  crack  propa- 


tXHIBIT  Factors  used  to  develop  ratings  for  damage- 
tolerant  structurally  significant  items.  In  each  case  the  item  is 
rated  for  the  effect  of  a single  failure  on  the  residual  strength 
of  the  assembly.  The  fatigue  life  of  each  item  represents  the 
time  to  crack  initiation  in  relation  to  the  fatigue-life  design 
goal  for  the  structure  as  a whole. 


crack-propagation  rate 


ratio  of  interval  to 
fatigue-life  design  goal  rating 

1/8  1 

1/4  2 

3/8  3 

1/2  4 


susceptibility  to  corrosion 

ratio  of  corrosion-free 
' rge  to  fatigue-life 


design  goal  rating 

1/8  1 

1/4  2 

3/8  3 

1/2  4 


susceptibility  to  accidental  damage 
exposure  as  a result 


of  location  rating 

High  i~ 

Moderate  2 

Low  3 

Very  low  4 


gation  would  be  based  similarly  on  a ratio  of  the  crack-propagation 
interval  for  the  item  to  „ve  overall  fatigue-life  design  goal.  Thus  an  item 
with  an  interval  of  less  than  15,000  hours  from  the  time  of  crack  initia- 
tion to  critical  crack  length  (or  in  the  case  of  a redundant  element,  to 
fracture  of  the  element)  would  receive  a rating  of  1 for  this  factor. 

Corrosion  ratings  can  be  developed  in  the  same  way,  by  comparing 
the  age  at  which  corrosion  is  first  expected  to  become  evident  with  the 
fatigue-life  design  goal.  The  ratings  for  susceptibility  to  accidental 
damage  cannot  be  expressed  in  terms  of  a reference  age,  but  they  aie 
based  on  the  item's  resistance  to  damage,  as  well  as  the  type  and  fre- 
quency of  damage  to  which  it  is  exposed. 

Once  the  item  under  consideration  has  been  rated  for  each  of  the 
factors  that  apply,  the  lowest  rating  for  any  individual  factor  is  assigned 
as  the  class  number  for  that  item.*  The  damage-tolerant  item  described 
above  has  ratings  of  4,  3,  2,  2,  and  4;  hence  its  class  number  is  2.  A safe- 
life  item  rated  4 for  corrosion  and  1 for  susceptibility  to  accidental 
damage  would  have  a class  number  of  1.  The  class  number  ■'.* the  basis 
for  the  relative  length  of  the  initial  inspection  interval.  The  lower  the 
rating,  the  lower  the  class  number,  and  therefore  the  shorter  the  inspec- 
tion interval. 

For  damage-tolerant  items  the  design  goal  can  also  serve  as  a ref- 
erence for  converting  class  numbers  to  inspection  intervals.  The  interval 
must  be  one  that  provides  for  at  least  two  inspections  during  the  crack- 
propagation  interval;  if  the  first  inspection  does  not  disclose  a poten- 
tial failure,  the  second  one  will.  In  addition,  there  should  be  20  to  30 
inspections  before  the  expected  appearance  of  a fatigue  crack  on  the 
most  significant  items,  although  there  may  be  as  few  as  five  for  those 
of  least  significance.  Such  inspections  not  only  protect  the  structure 
from  the  effects  of  incipient  corrosion  and  accidental  damage,  but  also 
make  it  possible  to  confirm  that  the  design  fatigue  life  has  in  fact  been 
achieved. 

There  is  no  hard-and-fast  rule  for  establishing  initial  inspection 
intervals,  because  the  rating  process  itself  must  be  based  on  cautious 
informed  professional  judgment.  The  scale  outlined  in  Exhibit  9.7  does, 
however,  reflect  current  practice  for  commercial  swept- wing  jet  transport 
aircraft,  This  scale  applies  only  to  structural  items  that  meet  damage- 
tolerant  design  criteria.  Safe-life  items  must  also  be  inspected  to  find 
and  correct  any  deterioration  that  could  prevent  attainment  of  the  safe- 
life  limit.  The  ratings  for  corrosion  and  susceptibility  to  accidental 
damage  will  provide  rankings  for  the  relative  intensity  of  such  inspec- 
tions, but  there  is  no  accepted  basis  for  converting  the  resulting  class 
numbers  to  actual  intervals.  This  is  because  of  the  wide  variations  both 
in  susceptibility  to  such  damage  and  in  the  value  judgments  applied 

"The  lowest  number  must  be  used  because  there  is  no  basis  for  tradeoffs  between  any  of 
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cU*»  number  assigned  to  Item 
u a remit  of  rating* 


'nitial  inspection  interval 
as  a fraction  of  fatigue* 
life  design  goal 


1 

2 

3 

4 


1/24 

1/12 

1/8 

1/6 


notes 

1 An  internal  item  whose  class  number  has  been  raised  because  of  external 
detectability  will  have  an  asjodated  external  SSI  with  the  das*  number  of  the 
internal  item  without  this  increase. 

2 Class  1 and  class  2 items  may  be  considered  for  higher  initial  intervals  on 
later  aircraft  after  a sufficient  number  of  inspections  on  the  original  fleet  have 
shown  no  signs  of  deterioration. 

•1  Class  3 and  class  4 items  may  be  considered  as  candidates  for  total-time 
fleet-leader  sampling  after  pertinent  operating  information-become*  available. 


EXHIBIT  9 *7  A suggested  scale  for  converting  class  numbers  to 
relative  inspection  intervals  for  significant  items  in  damage-tolerant 
structure.  In  this  case  the  initial  interval  is  expressed  as  a fraction  of 
the  fatigue-life  design  goal  for  entire  structure.  A similar  scale  cannot 
be  used  for  safe-life  elements  because  the  only  two  factors  rated 
(susceptibility  to  corrosion  and  accidental  damage)  vary  with  the  item 
and  the  intended  use  of  the  equipment. 


to  ratings  in  individual  operating  contexts.  Consequently  the  initial 
intervals  for  safe-life  elements  are  generally  set  at  conservative  values 
which  reflect  their  relative  class  numbers  and  are  extended,  if  possible, 
on  the  basis  of  the  findings  from  these  inspections  after  the  equipment 
enters  service. 

At  this  point  let  us  examine  some  of  the  implications  of  Exhibits 
9.6  and  9.7  and  see  how  the  starting  and  repeat  intervals  for  structural 
items  relate  to  the  fatigue  characteristics  of  the  item.  Consider  a case 
in  which  the  class  number  of  an  item  results  from  its  crack-propagation 
rating.  The  relationships  would  be  as  follows: 


class  number 

1 

2 

3 

4 


ratio  of  crack-growth 
interval  to  fatigue- 
life  design  goal 

1/8 

1/4 

3/8 

1/2 


ratio  of  inspection 
interval  to  fatigue- 
life  design  goal 


1/24 

1/12 

1/8 

1/6 
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In  each  case  the  inspection  interval  ensures  three  inspections  be- 
tween the  time  of  crack  initiation  and  time  at  which  the  crack  will  reach 
critical  length.  The  intervals  are  therefore  quite  satisfactory  for  use  as 
repeat  intervals  to  detect  potential  failures  before  the  item  actually  frac- 
tures. However,  these  intervals  are  also  used  in  the  initial  program  to 
define  the  ages  at  which  inspections  must  be  performed  to  begin  the 
age-exploration  process.  The  same  interval  will  be  used  for  the  (irst, 
second,  and  subsequent  inspections  of  the  item  until  there  is  sufficient 
information  to  support  a change.  Such  information  will  usually  show  an 
absence  of  deterioration  at  lower  ages,  and  it  will  then  be  possible  to 
start  inspections  on  later-delivery  airplanes  at  a higher  age  — that  is,  to 
eliminate  the  first  few  inspections  in  the  sequence. 

Now  suppose  that  the  item  in  question  has  a class  number  of  1, 
and  that  the  ratings  for  residual  strength  and  crack  propagation  are  both 
1.  The  inspection  interval  of  1/24  of  the  fatigue-life  design  goal  is  suf- 
ficiently conservative  to  protect  a very  significant  item  in  damage- 
tolerant  structure.  If  both  ratings  are  2,  the  inspection  interval  will  be 
increased  to  1/12  of  the  design  goal.  However,  if  the  item  has  been  rated 
1 for  residual  strength  and  2 for  crack  propagation,  the  class  number  is  1 
and  the  inspection  interval  remains  at  1/24  of  the  fatigue-life  design 
goal  — a somewhat  illogical  but  subjectively  attractive  increase  in  con- 
servatism, both  for  protection  of  the  item  and  for  the  intensity  of  age 
exploration. 

Low  ratings  for  fatigue  life  and  exposure  to  corrosion  or  accidental 
damage  can  lead  in  the  same  way  to  increased  conservatism.  Although 
the  intervals  in  Exhibit  9.7  are  generally  conservative,  items  with  fair  .• 
rapid  crack-propagation  characteristics  may  be  far  off  the  scale  and  may 
require  special  treatment.  This  is  frequently  the  case  with  serious  unan- 
ticipated failures  which  occur  after  the  airplane  enters  service,  but  then 
real  information  is  available  for  use  in  establishing  the  appropriate 
intervals  for  first  and  repeat  inspections. 

While  the  question  of  when  each  item  should  first  be  inspected  is 
always  believed  to  be  of  intrinsic  importance  in  developing  an  initial 
inspection  program,  it  is  an  interesting  paradox  that  the  methods  actu- 
ally used  to  determine  initial  intervals  can  be  explained  only  in  terms 
of  repeat  intervals,  with  in-service  age  exploration  to  establish  which 
multiple  of  these  intervals  should  be  used  as  the  starting  interval  on 
later-delivery  airplanes.  There  has  been  a gradual  extension  of  initial 
inspection  intervals  as  a result  of  satisfactory  experience  with  in-service 
aircraft,  and  further  experience  may  well  support  substantially  longer 
initial  intervals  for  designs  incorporating  familiar  technology. 

It  is  important  to  remember  that  the  intervals  suggested  in  Exhibit 
9.7  are  based  on  vast  experience  with  various  types  of  airplanes  that 
have  employed  similar  materials,  design  practices,  and  manufacturing 
processes.  They  can  therefore  be  applied  with  confidence  to  new  types 


APPLICATIONS 


of  airplanes  that  represent  an  extrapolation  of  this  experience.  However, 
if  the  aircraft  designer  is  less  experienced  in  this  field,  or  if  new  types 
of  materials  or  new  manufacturing  or  bonding  processes  are  employed, 
or  if  the  equipment  is  to  be  operated  in  an  unfamiliar  environment 
(such  as  supersonic  transport),  the  initial  intervals  must  be  far  more 
conservative  and  the  age-exploration  activity  more  intensive.  It  goes 
without  saying  that  the  effectiveness  of  an  inspection  program  depends 
on  the  proper  identification  of  structurally  significant  items.  It  is  essen- 
tial, therefore,  that  all  operating  organizations  report  serious  structural 
deterioration  at  any  age  to  central  coordinating  agencies,  usually  the 
manufacturer  and  the  regulatory  agencies,  who  will  evaluate  them  and 
define  new  significant  items,  adjust  inspection  intervals,  call  for  spe- 
cial inspections,  or  even  require  that  modifications  be  made  to  the 
structure. 


9 • 3 ASSEMBLING  THE  REQUIRED 
INFORMATION 


Most  of  the  information  required  to  develop  an  initial  structural  pro- 
gram must  be  supplied  by  the  manufacturer.  In  addition  to  the  test 
data  used  to  establish  fatigue  life  and  the  effect  of  a failure  on  residual 
strength,  the  working  group  must  know  the  flight  profile  assumed  as 
the  basis  for  fatigue-life  design  goals  and  the  structural  design  philoso- 
phy that  was  followed.  To  determine  appropriate  inspection  intervals, 
they  must  also  know  whether  the  design  characteristics  include  external 
evidence  of  internal  failures,  what  the  accessibility  of  each  item  will  be, 
the  physical  properties  of  each  of  the  materials  used,  and  the  corrosion- 
prevention  procedures  and  types  of  paint  systems  used. 

All  this  information  is  provided  during  the  design  reviews  con- 
ducted by  the  manufacturer.  As  an  example,  the  following  design  goals 
were  discussed  with  the  entire  working  group  during  early  presenta- 
tions on  the  Douglas  DC-10: 


initial  information 
requirements 

the  information  worksheet 


► The  residual  strength  after  the  failure  of  any  single  structural  item 
must  be  great  enough  to  withstand  the  applied  limit  load  con- 
sidered as  an  ultimate  load  (the  criterion  for  damage-tolerant 
structure). 

► A part  containing  discontinuities  must  have  a fatigue  life  equal  to 
or  greater  than  the  same  part  without  discontinuities. 

► Joints  must  be  stronger  than  their  surrounding  elements. 

► The  design  goal  for  the  airplane  is  a mean  fatigue  life  of  120,000 
flight  hours,  with  a reasonable  probability  that  any  single  airplane 

will  be  crack-free  to  60,000  hours  (approximately  20  years).  SECTION  9-3  247 
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► Every  effort  must  be  made  to  ensure  that  areas  most  subject  to 
fatigue  damage  are  easy  to  inspect  by  detailed  inspections  in  small 
localized  areas. 

► The  outer-skin  cracks  which  are  evidence  of  fractures  in  adjacent 
internal  elements  must  be  detectable  before  they  reach  critical 
length. 

Proper  evaluation  of  this  information,  however,  depends  heavily 
on  the  experience  and  professional  judgment  that  the  working-group 
members  bring  to  the  decision  process.  From  experience  with  other 
recent  designs,  they  will  know  the  areas  of  the  structure  in  which  fa- 
tigue cracks  are  most  likely  to  appear,  the  parts  of  the  airplane  subjected 
to  the  harshest  environmental  conditions  (trapped  water,  condensation, 
spillage,  damage  from  cargo),  the  durability  and  effectiveness  of  pro- 
tective coatings  in  actual  use,  and  the  reaction  of  various  structural 
materials  under  loads  and  environmental  conditions  similar  to  those 
to  which  the  new  aircraft  will  be  subjected. 

The  data  elements  that  must  be  assembled  for  each  structural  item 
to  be  analyzed  are  similar  to  those  required  for  systems  and  powerplant 
items.  Because  the  primary  decision  problem  concerns  the  assignment 
of  appropriate  inspection  intervals,  however,  the  information  is  re- 
corded in  a slightly  different  form  (see  Exhibit  9.8).  In  addition  to  the 
item  name  and  number,  which  are  usually  based  on  the  manufacturer's 
identification  of  parts  for  design  refeience,  a brief  description  is  needed 
to  pinpoint  the  exact  location  of  the  item.  The  zone  numbers  are  also 
included,  since  they  are  useful  when  the  tasks  are  assembled  into  work 
packages.  If  an  item  appears  on  both  sides  of  the  aircraft,  both  zone 
numbers  should  be  included.  Similarly,  if  it  is  a skin  panel  or  some 
other  large  area,  all  zone  designators  should  be  included. 

It  is  important  to  specify  the  materials  from  which  the  item  is  manu- 
factured, since  prior  experience  with  various  materials  will  have  great 
bearing  on  the  evaluation  of  their  properties.  The  results  of  fatigue  and 
static-load  tests  of  the  complete  airplane  or  its  major  assemblies  are 
usually  not  available  at  the  time  an  initial  program  is  developed,  since 
the  tests  on  most  items  will  still  be  in  progress.  However,  there  are  often 
test  data  on  smaller  assemblies,  and  in  some  cases  relevant  data  may  be 
available  for  a similar  portion  of  the  structuie  on  in-service  aircraft. 
Where  tests  on  safe-life  items  are  still  in  progress,  the  test  data  which 
are  available  must  show  a zero  conditional  probability  of  failure  at  the 
safe-life  limit  indicated. 

In  the  case  of  all  structural  analyses  it  is  necessary  to  indicate 
whether  the  item  is  a safe-life  element  or  meets  the  criteria  for  damage- 
tolerant  design.  The  worksheet  should  also  show  whether  the  item  is  an 
internal  one  or  is  visible  externally.  As  with  systems  and  powerplant 


items,  the  design  redundancies  that  make  an  item  damage-tolerant  and 
the  external  detectability  of  internal  problems  help  to  determine  the 
specific  area  (or  areas)  of  the  structure  defined  as  structurally  signifi- 
cant, as  well  as  the  ratings  which  establish  the  intensity  of  inspection 
required.  The  ratings  themselves  are  recorded  on  the  worksheet,  along 
with  the  class  number  assigned  to  the  item  as  a result  of  the  controlling 
rating  factor.  Where  individual  ratings  have  been  increased  because  of 
external  detectability  or  decreased  because  of  the  absence  of  test  data, 
these  adjustment  factors  should  be  noted.  The  information  on  related 
structurally  significant  items  is  especially  useful  in  evaluating  later 
adjustments  of  the  initial  intervals  as  a result  of  age  exploration. 

Whereas  the  information  worksheets  for  rystems  and  powerplant 
items  included  a detailed  list  of  functions,  functional  failures,  failure 
modes,  and  failure  effects,  this  information  is  rarely  needed  on  struc- 
tures worksheets.  (The  reason  for  this  will  be  explained  in  the  next  sec- 
tion.) Instead,  the  rest  of  the  worksheet  covers  the  nature  of  the  pro- 
posed inspection  tasks.  Where  both  general  and  detailed  inspections 
are  required  for  the  same  item,  each  task  is  listed  separately,  with  its 
appropriate  interval.  If  the  item  is  one  that  is  likely  to  control  the  work 
package  in  which  it  is  included,  the  initial  interval  should  be  stated  in 
actual  operating  hours,  spectrum  hours,  or  flight  cycles.  Where  a wide 
range  of  intervals  can  be  assigned,  it  may  be  necessary  only  to  state  the 
letter-check  package  in  which  the  task  is  to  be  included  (see  Section  4.6). 

In  assigning  initial  inspection  intervals  it  is  important  to  bear  in 
mind  that  the  structural  inspection  program  will  provide  the  framework 
for  all  the  major  scheduled-maintenance  packages.  Thus  tasks  must  be 
considered  not  only  in  terms  of  their  frequency,  but  also  in  terms  of  the 
length  of  time  the  aircraft  will  have  to  be  out  of  service  while  they  are 
performed.  Inspections  directed  at  those  portions  of  the  structure  that 
are  both  easily  accessible  and  the  most  susceptible  to  corrosion  or  acci- 
dental damage  are  called  out  in  the  more  frequent  lower-level  packages, 
from  the  walkaround  check  on  up.  While  the  intervals  must  be  short 
enough  both  to  protect  the  equipment  and  to  find  damage  at  a stage 
when  it  is  still  inexpensive  to  repair,  when  damage  is  found,  the  repair 
itself  may  be  scheduled  for  a later  time. 

The  more  extensive  inspections  — those  that  will  take  the  airplane 
out  of  service  for  more  than  twenty-four  hours -are  usually  consoli- 
dated in  a work  package  performed  at  much  longer  intervals.  Many  of 
the  internal  inspections  can  be  performed  only  at  the  major  mainte- 
nance base,  where  the  airplane  can  be  disassembled  as  necessary  to 
check  parts  of  the  structure  for  evidence  of  fatigue  as  well  as  corrosion 
damage.  This  comprehensive  inspection,  or  "airplane  overhaul,"  is 
usually  referred  to  as  a D check  and  includes  all,  or  nearly  all,  the  inspec- 
tion tasks  in  the  program.  Depending  on  the  complexity  of  the  structure  SECTION  9-3  249 


EXHIBIT  9-8  A worksheet  for  recording  the  relevant  information, 
ratings,  and  task  outcomes  for  structurally  significant  items. 

STRUCTURES  WORKSHEET  type  of  aircraft 

no.  per  aircraft 
major  area 
zone(a) 

description/location  details 


item  number 
item  name 

vendor  part/model  no. 


material  (include  manufacturer's  trade  name) 

fatigue-test  data 

expected  fatigue  life  hours  crack  propagation  hours 

established  safe  life 

design  conversion  ratio  operating  hours/flight  cycle 
rat!ngs 

residual  fatigue  crack  accidental  controlling 

strength  life  growth  corrosion  damage  class  no.  factor 

adjustment  factors 


prepared  by 

date 

reviewed  by 

date 

approved  by 

date 

design  criterion  (check) 

inspection  access  (check) 

damage-tolerant  element 

internal 

safe-life  element 

external 

redundancy  and  external  detectability 

is  element  inspected  via  a related 

classification  of 

SSI?  If  so,  list  SS!  no. 

item  (check) 

stgnk'.csnt 

nonsignificant 

Insj.  ,-ction 

(int./ext.)  proposed  task 

initial  interval 
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and  the  size  of  the  maintenance  crew,  it  may  take  the  airplane  out  of 
service  foi  a week  to  several  months. 

The  first  of  these  complete  inspections  is  a very  important  part  of 
the  age-exploration  program,  since  it  includes  many  inspections  that 
are  being  performed  for  the  first  time.  The  first  airplane  that  ages  to  the 
initial  interval  becomes  the  inspection  sample;  the  findings  for  each 
item  are  carefully  evaluated,  tasks  and  intervals  for  individual  items 
are  adjusted  as  necessary,  and  the  conservative  initial  interval  for  the 
D-check  package  is  extended.  Consequently,  although  external  inspec- 
tions are  performed  on  every  airplane,  most  internal  items  will  be 
inspected  at  the  initial  interval  only  on  the  first  one  or  first  few  air- 
planes to  reach  this  age  limit.  They  will,  however,  be  inspected  at  suc- 
cessive!;' higher  ages  as  the  equipment  ages  in  service,  often  on  a fleet- 
leader  sampling  basis. 


9 • 4 RCM  ANALYSIS  OF  STRUCTURAL  ITEMS 


analysis  of  damage-tolerant 
elements 

analysis  of  safe-life  elements 


As  we  saw  in  Chapters  7 and  8,  RCM  analysis  of  systems  and  power- 
plant  items  may  fall  in  any  branch  of  the  decision  diagram.  In  contrast, 
all  structurally  significant  items  fall  in  the  safety  branch  and  the  eval- 
uation of  proposed  tasks  can  have  only  one  of  two  possible  outcomes 
(see  Exhibit  9.9).  This  is  true  no  matter  which  of  the  structural  functions 
we  consider.  As  an  example,  one  function  of  the  aircraft  structure  is  to  ' 
permit  lifting  forces  to  balance  the  weight  of  the  airplane.  Although 
most  of  the  lift  is  provided  by  the  wing,  its  center  of  lift  does  not  neces- 
sarily coincide  with  the  airplane's  center  of  gravity,  and  the  horizontal 
stabilizer  must  provide  a balancing  load  that  brings  the  vertical  fmces 
into  equilibrium.  The  portions  of  the  structure  associated  with  this 
function,  therefore,  are  the  wing,  the  fuselage,  and  the  horizontal  tail. 

The  first  question  is  whether  a loss  of  the  balancing  function  will 
be  evident: 


1 Is  the  occurrence  of  a failure  evident  to  the  operating  crew  during 
performance  of  nonnal  duties? 


The  answer  is  yes,  of  course,  since  a loss  of  this  function  as  the  result 
of  a structural  failure  would  be  all  too  evident,  not  only  to  the  crew,  but 
to  any  other  occupants  of  the  airplane  as  well. 

Next  we  would  ordinarily  examine  the  various  failure  modes  that 
could  cause  such  a failure.  In  the  case  of  structural  items,  however, 
the  failure  modes  all  involve  the  fracture  of  a load-carrying  member. 
Thus  the  following  question  relates  to  any  of  the  failure  possibilities: 
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EXHIBIT  9 ’9  The  branch  of  the  decision  diagram  used  for  RCM 
analysis  of  all  function1  of  the  aircraft  structure.  The  only  possible  task 
outcomes  for  structurally  significant  items  are  on-condition  inspection 
for  elements  of  damage-tolerant  structure  and  a combination  of 
on-condition  and  discard  tasks  for  safe-life  elements. 


2 Does  the  failure  cause  ii  loss  of  function  or  secondary  damage  that 
could  have  a direct  adverse  effect  on  operating  safety? 


The  fracture  of  a structural  item  may  well  cause  critical  seconucry  dam- 
age, but  in  this  case  the  loss  of  function  alone  is  sufficient  to  classify  the  SECTION  9-4  253 
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failure  as  critical.  The  answer  to  this  question  is  therefore  yes  regard- 
less of  the  failure  mode  involved,  and  further  analysis  falls  in  the  safety 
branch  of  the  decision  diagram.  This  means  that  scheduled  mainte- 
nance is  required  and  that  a task  wil'  ' a considered  effective  only  if  it 
reduces  the  risk  of  a functional  faih..  _*  to  an  acceptable  level;  in  other 
words,  it  must  result  in  substantial  preservation  of  the  load-carrying 
capability  of  the  item. 

The  first  type  of  task  we  would  consider  is  an  on-condition  inspec- 
tion: 

4 Is  an  on-condition  task  to  detect  potential  failures  both  applicable 
and  effective? 

For  items  designed  to  damage-tolerance  criteria  the  answer  to  this 
question  is  yes.  The  existence  of  a crack  in  a structural  element  can  be 
defined  as  a potentia1  failure,  and  in  an  assembly  with  redundant  load 
paths  even  the  fracture  of  one  element  will  not  reduce  residual  strength 
below  the  safety  level.  Hence  an  on-condition  task  is  applicable,  and 
if  it  is  performed  at  short  enough  intervals  to  ensure  that  a second  ele- 
ment does  not  hacture  (or  in  the  case  of  a monolithic  member,  that  the 
crack  does  not  propagate  to  critical  length),  the  task  is  also  effective. 
RCM  analysis  of  a damage-tolerant  element  is  therefore  complete  once 
this  question  has  been  answered,  and  all  that  remains  is  to  assign  appro- 
priate inspection  intervals  for  each  of  the  significant  items. 

For  safe-life  items  the  answer  to  question  4 is  no.  Although  the 
initiation  of  a fatigue  crack  can  still  be  defined  as  a potential  failure, 
unless  its  propagation  characteristics  meet  damage-tolerant  load  re- 
quirements, we  cannot  rely  on  on-condition  inspections  to  prevent 
fatigue  failures.  Such  inspections  are  applicable  to  detect  corrosion  and 
accidental  damage,  which  can  greatly  shorten  fatigue  life,  but  since  they 
will  not  prevent  all  functional  failures,  we  must  look  for  other  tasks: 

5 Is  a rework  task  to  reduce  the  failure  rate  both  applicable  and 
effective? 

Although  the  fatigue  process  is  directly  related  to  operating  age,  there 
is  no  form  of  remanufacture  that  will  en.se  the  cumulative  effect  of  the 
loads  the  material  has  experienced  up  to  that  point  (restore  the  original 
resistance  to  failure).  A rev’ork  task  can  therefore  have  no  effect  on  the 
time  at  which  fatigue  failures  might  occur.  Since  this  task  is  not  appli- 
cable, the  answer  to  the  rework  question  is  no,  and  we  must  consider  the 
next  possibility,  a safe-life  discard  task. 


6 Is  a discard  task  to  avoid  failures  or  reduce  the  failure  rate  both 
applicable  and  effective? 


A safe-life  limit  is  based  on  the  fatigue  life  of  the  item,  as  established 
during  developmental  testing.  However,  since  corrosion  and  damage 
can  affect  that  life,  these  factors  may  prevent  a structural  element  from 
reaching  the  safe-life  age  established  on  the  basis  of  testing  in  a less 
hostile  environment.  Consequently  we  cannot  conclude  that  a safe-life 
discard  task  alone  will  satisfy  the  criterion  for  effectiveness  in  pre- 
venting critical  failures,  and  the  answer  to  this  question  is  no. 

A no  answer  to  question  6 brings  us  to  the  final  question  in  the 
safety  branch: 


7 Is  a combination  of  preventive  tasks  both  applicable  and  effective? 


Both  on-condition  and  discard  tasks  are  applicable,  and  a combination 
of  the  two  meets  the  effectiveness  requirements.  The  on-condition 
inspections  ensure  that  the  item  will  reach  its  safe-life  limit,  and  the 
discard  task  ensures  that  it  w ill  be  removed  from  service  before  a fatigue 
failure  occurs. 

The  results  of  this  analysis  are  shown  on  the  decision  worksheet, 
in  Exhibit  9.10.  Note  that  an  analysis  of  any  one  of  the  functions  listed 
in  Section  9.1  would  follow  the  same  path  and  lead  to  the  same  out- 
comes: on-condition  inspections  for  damage-tolerant  items  and  on- 
condition  inspections  plus  discard  at  the  safe-life  limit  for  safe-life 
items.  If  the  elements  of  a damage-tolerant  assembly  were  analyzed 
individually,  the  fracture  of  a single  element  would  be  viewed  at  the 
assembly  level  as  a hidden  failure.  The  task  itself,  however,  would  be 
exactly  the  same  — an  inspection  for  cracks  and  corrosion  scheduled  at 
intervals  short  enough  to  avoid  the  risk  of  a multiple  failure  of  such 
elements. 

Once  again,  particular  care  must  be  given  to  the  definition  of  func- 
tions and  functional  failures.  For  example,  one  of  the  functions  of  the 
structure  is  to  provide  movable  flight-control  surfaces  for  maneuvering 
the  airplane.  However,  if  the  ailerons  on  each  wing  are  duplicated,  a 
failure  of  one  of  the  two  ailerons  will  not  result  in  a loss  of  that  function. 

Rather,  from  the  standpoint  of  maneuvering  capability,  it  will  result  in 
a potential  failure.  In  this  sense  the  f .ilureofa  single  aileron  is  analogous 
to  the  fracture  of  a single  element  in  a damage-tolerant  assembly,  and 
the  maintenance  task  to  prevent  a loss  of  aileron  function  to  the  aircraft 
is  an  on-condition  inspection  scheduled  at  intervals  short  enough  to 

prevent  the  failure  of  more  than  one  aileron.  SECTiON  9-4  255 
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EXHIBIT  9*10  The  results  of  RCM  analysis  for  structurally  significant 
items.  All  functions  of  the  aircraft  structure  depend  on  the  ability  of 
significant  elements  to  withstand  applied  loads,  and  all  failure  modes 
lead  ultimately  to  a fatigue  failure  resulting  in  the  loss  of  this  load- 
carrying capability.  Thus  the  answers  to  the  decision-diagram 
questions  will  be  the  same  for  any  damage-tolerant  item  and  for  any 
safe-life  item,  regardless  of  the  particular  item  under  consideration. 


9 • 5 ESTABLISHING  INITIAL  INSPECTION  INTERVALS 

damage-tolerant  items  The  Douglas  DC-10  is  basically  a damage-tolerant  aircraft,  the  only 
safe-life  items  safe-life  items  being  the  nonredundant  parts  of  the  landing  gear.  During 
the  very  early  development  of  this  design  typical  structural  components 
were  fatigue-tested,  either  individually  or  in  assemblies  or  sections, 
to  determine  their  contribution  to  the  design  goal  of  an  average  crack- 
free  fatigue  life  of  120,000  hours,  with  60,000  hours  of  crack-free  opera- 
tion for  any  individual  airplane.  Although  a fatigue  test  on  the  entire 
structure  was  conducted  to  the  full  120,000  hours,  and  inspections  were 
to  be  concentrated  on  this  article  as  the  test  progressed,  the  final  results 
were  not  available  at  the  time  the  initial  program  for  the  DC-10  was 
256  APPLICATIONS  developed.  The  following  examples  have  been  updated  to  reflect  both 


prcpand  by 


reviewed  by 


PH*  of 
item  number 


proposed  Uek 


initial  interval 


On-condition  inspection  for  cocks, 
corrosion,  and  accidental  damage 


On-condition  inspection  for  cocks, 
corrosion,  and  accidental  damage 

Discoid  at  safe-life  limit 


As  determined  by  class  number 
of  item 


As  determined  by  class  number 
of  item 

As  determined  by  safe-life  limit 
for  item 


the  results  of  the  fatigue  test  and  the  additional  parameters  used  in  RCM 
analysis.*  However,  the  recommended  intervals  resulting  from  this 
analysis  are  similar  to  (although  not  identical  with)  those  in  the  original 
prior-to-service  program. 

•The  structural  program  for  the  DC- 10,  developed  just  before  this  aircraft  was  certified, 
was  based  on  MSG-2  principles,  which  involved  a similar  comprehensive  analysis.  For 
a detailed  discussion  of  the  considerations  behind  the  original  program  see  M.  E.  Stone 
and  H.  F.  Heap,  Developing  the  DC-10  Structural  Inspection  Program,  Seventh  Annual 
FAA  International  Aviation  .Maintenance  Symposium,  Oklahoma  City,  Oklahoma,  December 
7-9,  1971,  and  M.  E.  Stone,  Airworthiness  Philosophy  Developed  from  Full-scale  Testing, 

Biannual  Meeting  of  the  international  Committee  on  Aeronautical  Fatigue,  London,  July 
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DAMAGE-TOLERANT  STRUCTURAL  DIMS 

The  wing-to-fuselage  attach  tee,  together  with  the  structural  area  around 
it,  is  one  of  the  damage-tolerant  structurally  significant  items  on  the 
Douglas  DC-10.  This  portion  of  the  structure,  identified  as  SSI  105,  is 
located  on  the  top  surface  of  the  wing  and  consists  of  the  titanium-alloy 
tee  at  wing  station  XW  118.2  and  the  aluminum-alloy  fuselage  and  upper 
wing  skin  within  12  inches  of  it.  The  tee,  which  is  in  three  separate, 
sections,  extends  from  the  front  to  the  rear  spar  and  forms  part  of  the 


EXHIBIT  9- II  Worksheet  for  analysis  of  the  wing-to-fuselage  attach 
tee  on  the  Douglas  DC-10. 


STRUCTURES  WORKSHEET  type  of  aircraft  Douglas  DC-10-10 


item  number  105 

item  name  Wing-to-fuselage  attach  "tec" 
vendor  part/model  no.  573.01.105/DC-10-10 


no.  per  aircraft  2 

major  area  Outer  wing,  upper  akin  panel 
zoned)  264/5, 161/2,  254/5,  274/5 


description/location  details 

Attach  tee  jj  located  under  upper  wing-root  fairing  and  runt  along 
upper  chord  from  front  to  rear  spar  at  wing  station  XW  118.2;  SSI 
indudes  attach  tee  and  skin  12  in.  all  aides  of  tee  (both  faces), 
accessible  through  doors  527FB,  627FB,  527GB,  and  627GB. 


material  (Include  manufacturer's  trade  name)  Titanium  alloy  6A1-4V 

(Douglas  specification  1(50) 


fatigue-teat  data 

expected  fatigue  life  240,000  hours  crack  propagation  60,000  hours 
established  safe  life  

design  conversion  ratio  1.5  operating  hours/ flight  cycle 
ratings 

residual  fatigue  crack  accidental  controlling 

strength  life  growth  corrosion  damage  class  no.  factor 


4 4 4 4 4 4 
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mating  joint  between  the  wing  and  the  fuselage.  It  also  forms  part  of 
the  pressure  vessel;  thus  it  is  subjected  to  pressurization  loads  as  well 
as  to  flight  loads.  This  structural  item  cannot  be  seen  externally.  The 
outer  portion  is  under  the  wing-to-fuselage  fairing  and  the  inner  portion 
is  under  the  cabin  flooring. 

Exhibit  9.11  shows  all  the  pertinent  information  for  this  significant 
item,  a record  of  the  ratings,  and  the  resulting  inspection  interval. 
The  rating  for  residual  strength  in  this  case  is  4 because  the  tee  plays 


prepared  by  H.  F.  Heap 

date  5/12/78 

reviewed  by  F.  S.  Nowlan 

date  5/12/78 

approved  by 

date 

design  criterion  (check) 

inspection  access  (check) 

X damage-tolerant  element 

X internal 

safe-life  element 

external 

redundancy  and  external  detectability 

Three  pieces  to  prevent  cracks  from  growing  to  entire 
length  of  tee;  no  external  detectability. 

Is  element  inspected  via  a related 

SSI?  If  so,  list  SSI  no. 

classification  of 
item  (check) 

No 

X significant 

nonsignificant 

inspection 

(int./ext.)  proposed  task 

initial  interval 

Internal  Detailed  visual  inspection 
for  corrosion  and  cracking 


Not  to  exceed  20, 00-) 
hours  (D  check) 
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forms  the  rear  wall  of  the  integral  fuel  tanks,  and  since  the  front  tang 
of  the  spar  cap  is  therefore  difficult  to  inspect,  it  was  designed  fora  lower 
stress  level  than  the  rear  tang  and  will  thu  have  a longer  fatigue  life. 
This  means  that  inspection  of  the  rear  tang  will  provide  the  first  evidence 
of  fatigue  in  the  spar  cap,  particularly  if  inspections  are  concentrated  on 
regions  of  structural  discontinuities,  such  as  splices  (the  spar  is  made  in 
four  sections  which  are  spliced  together). 

The  area  identified  as  SSI  079  in  Exhibit  9.13  is  the  rear  tang  of  the 
lower  spar  cap  at  a point  where  the  spar  is  spliced  and  also  changes 
direction.  This  point  lies  behind  the  wing-engine  pylon  and  is  in  front 
of  the  aileron  attach  fitting.  The  spar  cap  and  splice  require  internal 


EXHIBIT  9-13  A portion  of  the  Douglas  DC-10  wing  rear  spar, 
showing  the  lower  spar  cap  and  splice  (SSI  079).  This  view  is  from 
aft  of  the  left-hand  wing,  looking  forward  al  the  outer-wing  rear  spar 
and  tiailing-edge  beam.  (Douglas  Aircraft) 


Trailing-edge  beam 


Station  X-- 


i'T 


br 


b j 


m 


0,79  / Lower  cap  and  splice 


.080  / Upper  cap  and  splice 


.082  / Spar  webs  and  spuces 


Rear  spar 


Trailing-edge  beam 
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inspection  and  are  accessible  through  two  doors  in  the  lower  wing  skin 
behind  the  wing  tank  on  each  side  of  the  aircraft.  Internal  problems  are 
expected  to  show  such  external  signs  as  fuel  leaks,  cracked  skin,  or 
popped  rivets  long  before  any  extensive  deterioration  of  the  underlying 
structure  occurs. 

The  information  for  this  item  is  summarized  on  the  worksheet  in 
Exhibit  9.14.  In  this  case  a failure  will  have  a large  effect  on  residual 
strength.  The  rating  for  residual  strength  is  therefore  1.  The  splice  has 


EXHIBIT  9-14  Worksheet  for  analysis  of  the  lower  spar  cap  and  splice 
on  the  wing  rear  spar  of  the  Douglas  DC-10. 


STRUCTURES  WORKSHEET  type  of  aircraft  Douglas  DC-10-10 


item  number  079  no.  per  aircraft  2 

item  name  Lower  spar  cap  and  kplice  major  area  Wing 
vendor  part/model  no.  571.04.079/DC-10-10  zone(t)  541,  641 


deacription/location  details 

Cap  and  aplice  are  located  on  aft  lower  face  of  wing  rear  spar  at  outer 
rear  spar  stations  XoM372  to  480;  SSI  includes  aft  face  of  cap  and  splice, 
accessible  through  doors  541HB;  641HB,  541FB,  and  641FB. 


material  (include  manufacturer's  trade  name)  Aluminum  alloy  7075-T651 


fatigue-test  data 

expected  fatigue  life  120,000  hours  crack  propagation  15,000  hours 
established  safe  life 

design  conversion  ratio  1.5  operating  hours/flight  cycle 


residual 

strength 

fatigue 

life 

ratings 

crack 

growth  corrosion 

accidental 

damage 

controlling 
class  no.  factor 

1 

3* 

2*  2 

4 

1 Residual 

strength 
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adjustment  factors  ’Increased  by  1 for  external  detectability 


an  anticipated  fatigue  life  1 Va  times  the  120,000-hour  design  goal,  and 
the  crack-propagation  interval  is  1/8  of  this  time.  Ordinarily  this  would 
mean  a fatigue-life  rating  of  2 and  a crack-propagation  rating  of  1.  How- 
ever, because  of  the  excellent  external  indicators  of  deterioration,  both 
ratings  have  been  increased  by  1.  The  corrosion  rating  is  2 because  of 
the  location  of  this  item;  it  is  exposed  to  dirt  and  moisture  condensation. 
The  rating  for  susceptibility  to  accidental  damage  is  4 because  the  item 
is  internal  and  is  exposed  to  very  little  mechanic  traffic. 


prepared  by  H.  F.  Heap  date  5/12/78 

reviewed  by  F.  S.  Nowlan  date  5/12/78 


approved  by 


design  criterion  (check)  inspection  access  (check) 

X damage-tolerant  element  X internal 

safe-life  element  external 


redundancy  and  external  detectability 

Designed  fur  rear  tang  of  spar  cap  to  show  first  evidence  of 
fatigue;  deterioration  visible  externally  (fuel  leaks,  cracked 
skin,  popped  rivets,  discoloration) 


Is  element  inspected  via  a related  classification  of 

SSI?  If  so,  list  SSI  no.  item  (check) 

Yes.  SSI  077  (forward  face)  SSI  079  X significant 

(external  area) 

nonsignificant 


inspection 

(int./ext.)  proposed  task  initial  interval 

Internal  Detailed  visual  inspection  Not  to  exceed  5,000  hours 
for  corrosion  and  cracking 


The  controlling  factor  is  the  residual-strength  rating.  The  class 
number  is  therefore  1,  and  this  item  is  scheduled  for  inspection  at  1/24 
of  the  overall  fatigue  life,  or  an  interval  of  5,000  hours.  This  is  a starting 
interval  for  the  initial  program,  and  it  may  be  extended  for  later-delivery 
airplanes  on  the  basis  of  the  inspection  findings  after  the  first  airplanes 
have  gone  into  service.  In  addition  to  this  internal  inspection,  the  ex- 
ternal area  expected  to  show  evidence  of  internal  problems  will  also  be 


EXHIBIT  9‘I5  Worksheet  for  analysis  of  the  lower  spar  cap  and 
splice  (forward  face)  on  the  wing  rear  spar  of  the  Douglas  DC-10. 


STRUCTURES  WORKSHEET  type  of  aircraft  Douglas  DC-10-10 

item  number  077  n0.  per  aircraft  2 

item  name  Lower  spar  cap  and  apUce  major  area  Wing 
vendor  part/model  no.  571.04.077/DC-1D-10  zonefa)  533,  633 

description/location  detail* 

Cap  and  aplice  are  located  on  forward  face  of  wing  rear  spar  at  outer  rear 
spar  stations  XORS372  to  480;  SSI  includes  forward  face  of  cap  and  aplice, 
accessible  through  doors  533AT  and  633AT. 


material  (include  manufacturer's  trade  name)  Aluminum  alloy  707S-T6S1 


fatigue- test  data 

expected  fatigue  life  120,000  hours  crack  propagation  15,000  hours 
established  safe  life 

design  conversion  ratio  1-5  operating  hours/flighl  cycle 


residual 

strength 

fatigue 

life 

ratings 

crack 

growth 

corrosion 

accidental 

damage 

class  no. 

controlling 

factor 

4 

4 

4 

— 
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adjustment  factors  Ratings  for  residual  strength,  fatigue  life,  and  crack 
growth  not  applicable,  coven*,  by  SSI  079 


designated  a significant  item,  and  this  external  area  will  be  inspected 
at  least  as  frequently. 

The  front  tang  of  the  spar  cop,  identified  as  SSI  077,  is  not  expected 
to  be  the  first  indicator  of  fatigue  damage.  It  must  be  inspected  for 
corrosion,  however,  because  if  is  in  the  fuel  tank  and  is  thus  exposed 
to  a different  environment  from  the  rear  tang,  Since  the  forward  face  of 
the  spar  is  an  interior  surface  of  the  fuel  tank,  it  is  necessary  to  drain  and 


prepared  by 

H.  f Heap 

date 

5/12/78 

reviewed  by 

F.  S.  Nowlan 

date 

5/1778 

approved  by 

deale 

design  criterion  (check) 

X damage- tolerant  element 

safe- life  element 

redundancy  and  external  detectability 
At  for  SSI  079 


Inapectlon  access  (check) 
X internal 

external 


ti  element  inspected  via  a related 
SSI?  U so,  list  SSI  no. 

Yet.  SSI  079  (ah  face),  SSI  077 
(external  ana) 


classification  of 
item  (check) 

X significant 
nonsignificant 


inspection 

tint./exO  proposed  task  initial  interval 


Internal  Detailed  visual  inapectlon  Not  to  exceed  30,000 
for  corroafon  and  cracking  hour*  (D  check) 


stcnoN  o s 2t>5 


.078  Upper  cap  and  splice 


Span  at  bulkhead 
intersection 


Lower  cap  ar.d  splice 


EXHIBIT  9' 16  A portion  of  the  Douglas  DC-10  wing  rear  spar, 
showing  the  forward  face  of  the  lower  spar  cap  and  splice  (SSI  077). 

This  view  is  from  forward  of  the  left-hand  wing,  looking  aft  at  the 
rear  spar  of  the  outer  wing  box  (upper  panel  removed  for  clarity). 

(Douglas  Aircraft) 

purge  the  tank  in  order  to  inspect  it.  The  worksheet  in  Exhibit  9.15 
shows  no  ratings  for  residual  strength,  fatigue  life,  or  crack  propagation 
because  these  factors  are  covered  for  the  spar  cap  by  SSI  079.  Suscepti- 
bility to  coriosion  is  rated  as  very  low,  4,  because  the  tank  itself  is  com- 
pletely sealed  and  is  protected  from  microbial  action  by  inhibitors 
The  accidental-damage  rating  is  also  4,  because  this  face  oi  the  spar  is 
exposed  to  "ven  less  possibility  for  damage  than  the  opposite  face. 

The  class  number  in  this  case  is  the  lower  of  the  two  rating  factors, 
cr  4.  Thus  this  item  will  be  inspected  initially  at  1/6  of  the  fatigue-life 
design  goal,  or  an  interval  of  20,000  hours.  With  a class  number  of  4,  it 
wii!  also  bs  eligible  \.v  reduced  inspection  in  the  ongoing  program  if 
the  results  of  early  sampling  confirm  that  the  area  is  not  prone  to  deteri- 
oration, This  is  an  example  of  a situation  in  which  two  structurally 
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single  element  that  should  be  inspected  to  cater  to  different  factors  and 
environments.  There  are  many  additional  such  designations  along  the 
full  length  of  the  rear  spai.  The  designer  plays  an  important  role  in  such 
cases  in  making  the  primary  indicators  of  deterioration  occur  in  easily 
inspectable  areas. 

SATE-LIFE  STRUCTURAL  ITEMS 

The  shock-strut  outer  cylinder  on  the  main  landing  gear  of  the  Douglas 
DC-10  is  one  of  the  few  safe-life  structural  items  on  this  aircraft.  The 
following  analysis  of  this  item  shows  the  treatment  of  a safe-life  item 
in  an  airline  context.  However,  there  is  no  universal  approach  to  setting 
inspection  intervals  for  safe-life  items,  and  each  case  must  be  considered 
separately.  This  particular  item  is  of  interest  because  there  are  two 
different  models,  and  the  outer  cylinder  on  each  model  has  a different 
safe-life  limit.  Exhibits  9,17  and  9.18  are  worksheets  for  the  two  models. 

Since  this  is  a safe-life  item,  it  must  be  removed  from  service  before 
a fatigue  crack  is  expected  to  occur;  hence  it  is  not  rated  for  residual 
strength,  fatigue  life,  or  crack-propagation  characteristics.  Both  models 
are  of  the  same  material.  However,  the  manufacturer's  fatigue  tests 
showed  that  model  ARG  7002-501  had  a safe-life  limit  of  23,200  landings, 
or  34,800  flight  hours,  whereas  tests  on  a redesigned  model,  ARG  7002- 
505,  resulted  in  a safe-life  limit  of  46,800  landings,  or  70,200  flight  hours. 
The  safe-life  limits  are  effective  only  if  nothing  prevents  the  item  from 
reaching  them,  and  in  the  case  of  structural  items  there  are  two  factors 
that  introduce  this  possibility- corrosion  and  accidental  damage.  Both 
factors  reduce  the  expected  fatigue  life  from  that  for  an  undamaged  part, 
and  both  apply  equally  to  the  two  models  of  the  shock-strut  outer 
cylinder. 

Experience  has  shown  that  landing-gear  cylinders  of  this  type  an 
subject  to  two  corrosion  problems.  First,  the  outer  cylinder  is  suscep- 
tible to  corrosion  from  moisture  that  enters  the  joints  at  which  other 
components  are  attached;  second,  high-strength  steels  such  as  4330  MOD 
are  subject  to  stress  corrosion  in  some  of  the  same  areas.  Both  models 
are  therefore  gnen  a corrosion  rating  of  1,  which  results  in  a class  num- 
ber of  1. 

The  onset  of  corrosion  is  more  predictable  in  a well-developed 
design  than  in  a new  one,  and  previous  operation  of  a similar  design 
in  a similar  environment  has  shown  that  severe  corrosion  is  likely  to 
develop  by  15,000  to  20,000  hours  (five  to  seven  yeirs  of  operation).  It 
can  be  detected  only  by  inspection  of  the  internal  joints  after  shop 
disassembly;  hence  this  inspection  will  be  performed  only  in  conjunc- 
tion with  scheduled  inspections  of  the  landing-gear  assemble.  This 
corrosion  inspection  is  one  of  the  controlling  factors  in  estab'ishing  the 
shop-inspection  interval.  It  is  customary  to  start  such  inspections  at  a 
conservative  interval  and  increase  the  interval  at  a rate  determined  by 
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EXHIBIT  9'i7  Worksheet  for  analysis  of  the  outer  cylinder  of  the 
shock-strut  assembly,  model  ARC.  7002-501,  on  the  Douglas  DC-10. 

STRUCTURES  WORKSHEET  type  of  aircraft  Douglas  DC-10-10 

item  number  101  no.  per  aircraft  2 

item  name  Shock-strut  outer  cylinder  major  area  Main  landing  gear 

vendor  part/model  no.  P.N.  ARG  7002-501  zone(s)  144, 145 

description/location  details 

Shock-strut  assembly  is  located  on  main  landing  gear;  SSI  consists  of  outer 
cylinder  (both  faces). 


material  (include  manufacturer’s  trade  name)  Steel  alloy  4330  MOD 

(Douglas  TRICE  NT  300  M) 

fatigue-test  data 

expected  fatigue  life  hours  crack  propagation  hours 

established  safe  life  23,200  landings,  34,800  operating  hours 
design  conversion  ratio  1.5  operating  hours/flight  cycle 


ratings 

residual  fatigue  crack  accidental  controlling 

strength  life  growth  corrosion  damage  class  no.  factor 


14  1 Corrosion 


adjustment  factors 
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prepared  by  H.  F.  Heap 
reviewed  by  F.  S.  Nowlan 
approved  by 


date  5/12/78 
date  5/12/78 
date 


design  criterion  (check)  Inspection  access  (check) 

damage-tolerant  element  X Internal 

X sale-life  element  X external 

redundancy  and  external  detectability 

No  redundancies;  only  one  cylinder  each  landing  gear, 
left  and  right  wings.  No  external  detectability  of 
internal  corrosion. 


Is  element  inspected  via  a related 
SSI?  If  so,  list  SSI  no. 

No 


classification  of 
item  (check) 

X significant 


nonsignificant 


inspection 

(int./ext.)  proposed  task  initial  interval 


Internal 


Extr  Tial 


Magnetic-particle  inspection 
for  cracking  and  detailed 
visual  inspection  for 
corrosion 

General  inspection  of  outer 
surface 

Detailed  visual  inspection 
for  corrosion  and  cracking 

Remove  and  discard  at  life 
limit 


Sample  at  6,000  to  9,000 
hours  and  at  12,000  to 
15,000  hours  to  establish 
best  interval 

During  preflight  walk- 
arounds  and  at  A checks 

Not  to  exceed  1,000  hours 
(C  check) 

34,800  hours 
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EXHIBIT  9 • 18  Worksheet  for  analysis  of  the  outer  cylinder  of  the 
shock-strut  assembly,  model  ARG  7002-505,  on  the  Douglas  DC-10. 


STKUCTUUS  WOWCSHIT  type  of  aircraft  Douglas  DC-10-10 


item  number  101 

item  name  Shock-strut  outer  cylinder 
vendor  part/model  no.  P.N.  ARG  7002-505 


no.  per  aircraft  2 

major  area  Main  landing  gear 

zone(s)  144, 145 


description/location  details 

Shock-strut  assembly  is  located  on  main  landing  gear;  SSI  consists  of 
outer  cylinder  (both  faces). 


material  (include  manufacturer's  trade  name)  Steel  alloy  4330  MOD 

(Douglas  TRICENT  300  M) 


fatigue-test  data 

expected  fatigue  life  hoars  crack  propagation  hours 

established  safe  life  46,800  landings,  70,200  operating  hours 
design  conversion  ratio  1.5  operating  hours/flight  cycle 

ratings 

residual  fatigue  crack  accidental  controlling 

Strength  life  growth  corrosion  damage  class  no.  factor 


1 


4 


1 Corrosion 


adjustment  factors 


270  APPLICATIONS 


redundancy  and  external  detectability 

No  redundancies;  only  one  cylinder  each  landing  gear, 
left  and  right  wings.  No  external  detectability 
of  internal  corrosion. 


Is  element  inspected  via  a related 
SSI?  If  so,  list  SSI  no. 

No 


classification  of 
item  (check) 

X significant 
nonsignificant 


inspection 

(int./ext.)  proposed  task  initial  interval 


Internal  Magnetic-particle  inspection  Sample  at  6,000  to  9,000 

for  cracking  and  detailed  hours  and  at  12,000  to 

visual  inspection  for  15,000  hours  to  establish 

corrosion  best  interval 

External  General  inspection  of  outer  During  preflight  walk- 

surface  arounds  and  at  A checks 

Detailed  visual  inspection  Not  to  exceed  1,000  b jure 
for  corrosion  and  cracking  <C  check) 

Remove  and  discard  at  life  70,200  hours 

,smit 


" ’WWW » 


EXHIBIT  9 ‘19  The  shock-strut  assembly  on  the  main  landing  gear  of 
tnc  Douglas  DC-10.  The  outer  cylinder  is  a structurally  significant 
item;  the  lest  of  the  assembly  is  treated  as  a systems  item.  (Based  on 
Douglas  DC-10  maintenance  materials) 


experience  and  the  condition  of  the  first  units  inspected.  The  initial 
requirement  is  therefore  established  as  inspection  of  one  sample  be- 
tween 6,000  and  9,000  hours  and  one  sample  between  12,000  and  15,000 
hours  to  establish  the  ongoing  interval.  During  the  shop  visits  for  these 
inspections  any  damage  to  the  structural  parts  of  the  assembly  are 
repaired  as  necessary  and  the  systems  parts  of  the  assembly  are  usually 
reworked.  Thus  the  combined  process  is  often  referred  to  as  landing- 
gear  rework. 

In  addition  to  the  corosion  rating,  both  models  of  the  shock-strut 


'v.wte.sir’jjr 


272  APPLICATIONS 


cylinder  are  rated  for  susceptibility  to  accidental  damage  The  cylinder 
is  exposed  to  relatively  infrequent  damage  from  rocks  and  other  debris 
thrown  up  by  the  wheels.  The  material  is  also  hard  enough  to  resist 
most  such  damage.  Its  susceptibility  is  therefore  very  low,  and  the 
rating  is  4 in  both  cases.  Ho  ever,  because  the  damage  is  random  and 
cannot  be  predicted,  a general  check  of  the  outer  cylinder,  along  with 
the  other  landing-gear  parts,  is  included  in  the  walkaround  inspections 
and  the  A check,  with  a detailed  inspection  of  the  outer  cylinder  sched- 
duled  at  the  C-check  interval.  The  same  inspection  program  applies  to 
both  models,  since  they  have  the  same  susceptibility  to  corrosion  and 
accidental  damage.  The  only  difference  is  in  the  interval  for  the  safe- 
life  discard  task;  this  task  is  scheduled  at  the  safe-life  limit  for  each 
model. 

Note  that  the  outer  cylinder  has  been  treated  in  this  case  as  a single 
structurally  significant  item.  It  could  also  have  been  designated  as  two 
items,  with  the  interval  for  the  internal  surface  controlled  by  the  cor- 
rosion rating  and  that  for  the  external  surface  controlled  by  a single 
rating  for  accidental  damage.  This  treatment  would,  of  course,  have 
resulted  in  the  same  set  of  tasks  and  intervals. 


9 • 6 STRUCTURAL  AGE  EXPLORATION 

In  the  systems  and  powerplant  divisions  the  consequences  of  many  the  role  of  the  inspection  plan 
functional  failures  are  economic  and  do  not  involve  safety.  Thus  little  the  fleet-leader  concept 
attempt  is  made  to  predict  those  reliability  characteristics  that  cannot 
be  determined  until  after  the  equipment  enters  service.  Instead,  the 
default  strategy  is  employed,  and  additional  tasks  are  incorporated  in 
the  scheduled-maintenance  program  only  after  there  is  sufficient  oper- 
ating information  to  assess  their  economic  desirability.  In  the  analysis 
of  structural  items,  however,  the  determination  of  inspection  intervals 
for  damage-tolerant  structure  is  based  o.i  an  assessment  of  the  effect  of 
failures  on  residual  strength,  the  relationship  of  fatigue-test  results  for 
individual  items  to  the  design  goal  for  the  overall  structure,  crack- 
propagation  characteristics,  and  the  anticipated  rate  of  corrosion.  All 
these  assessments  involve  some  degree  of  prediction.  The  results  are 
therefore  treated  very  conservatively,  not  only  because  they  are  extra- 
polations from  test  data,  but  also  because  manufacturing  variations, 
differences  in  operating  environments,  and  different  loading  histories 
may  lead  to  wide  variations  in  fatigue  life  from  one  airplane  to  another. 

In  all  cases  there  will  be  differences  between  the  manufacturer's 
test  environment  and  the  environment  in  which  a given  fleet  of  air- 
planes is  actually  operated.  If  different  airplanes  in  the  fleet  are  to  be 
assigned  quite  different  types  of  missions  or  will  be  operating  in  dif- 
ferent types  of  environments,  it  may  be  advisable  to  develop  a separate  SECTION  9-6  273 
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Boatng  747  |M2 


Tbtal  number  of  airplane*  overhauled 


EXHIBIT  9*20  The  number  of  heavy  structural  inspections 
(overhauls)  required  to  reach  the  same  maximum  interval  under 
different  maintenance  policies.  The  figures  shown  for  the  Douglas 
DC-S  indicate  the  total  number  of  overhauls  performed  up  to  the  time 
of  an  interval  extension.  The  very  conservative  initial  interval  for  this 
airplane  was  extended  slowly  until  a change  in  maintenance  concepts 
occurred.  The  initial  interval  for  the  Boeing  747  was  established  after 
this  change  in  concept,  and  only  three  heavy  inspections  were 
required  to  reach  a 20,000-hour  interval.  (United  Airlines) 

set  of  inspection  intervals  for  each  kind  of  operation  and  implement 
these  tailored  programs  from  the  outset.  Any  initial  structure  program, 
however,  merely  specifies  the  start  of  age  exploration  for  each  item  to 
determine  its  actual  fatigue  characteristics.  The  program  includes  all 
the  inspection  tasks  necessary  to  protect  the  structure,  but  it  is  the  results 
of  these  inspections  after  the  equipment  enters  service  that  will  deter- 
mine the  intervals  to  be  used  during  continuing  operation. 

Until  fairly  recently  structural  inspection  programs  did  not  take 
into  account  the  explicit  role  of  the  inspections  themselves  in  the  age- 
exploration  process.  The  heavy  structural  inspections,  the  work  package 
that  includes  all  the  inspection  tasks  in  the  program,  were  often  the 
major  part  of  what  was  called  an  "airplane  overhaul"  — an  unfortunate 
term,  since  it  implies  that  something  can  be  done  to  restore  the  struc- 
ture to  like-new  condition.  Although  the  repair  of  damage  found  during 
such  inspections  will  restore  the  original  load-carrying  capability,  there 
274  applications  is  no  form  of  remanufacture  that  will  zero-time  the  effects  of  fatigue. 


The  so-called  overhaul,  therefore,  could  have  no  effect  on  the  operating 
age  at  which  fatigue  cracks  might  appear. 

Under  older  policies  a fairly  large  proportion  of  the  fleet  was  given 
a full  structural  inspection  at  a low  age  (2,500  hours  in  the  case  of  the 
Douglas  DC-8),  the  inspection  findings  were  assessed,  and  the  proce- 
dure was  then  repeated  at  a slightly  longer  interval.  At  all  times,  how- 
ever, the  emphasis  was  on  the  time  since  the  last  inspection,  noton  the 
total  operating  age  of  the  airplane.  As  a result,  117  such  inspections 
were  performed  on  one  fleet  of  Douglas  DC-8's  before  the  overhaul 
interval  was  extended  beyond  5,000  hours,  and  of  the  32  overhauls 
performed  at  the  5,000-hour  limit,  9 represented  the  fourth  overhaul 
and  16  the  third  overhaul  for  individual  airplanes  (see  Exhibit  9.20). 

The  density  of  inspections  performed  under  this  policy  varied 
from  item  to  item;  some  items  were  inspected  at  every  overhaul,  some 
at  every  second  overhaul,  and  so  on.  This  procedure  was  explicit  recog- 
nition of  the  fact  that  some  items  were  more  significant  than  others  and 
that  the  exposure  to  deterioration  varied  from  item  to  item.  The  con- 
cept of  sampling  is  still  employed  in  the  age  exploration  oi  internal 
structural  items  with  a high  class  number.  This  and  other  aspects  of 
structural  age  exploration  are  discussed  in  detail  in  Chapter  11. 

Since  the  airplanes  in  any  given  fleet  will  have  entered  service  over 
a period  of  years,  the  difference  in  operating  age  between  the  oldest  and 
the  youngest  airplane  may  be  as  much  as  30,000  hours.  As  it  became 
clear  that  the  oldest  members  of  the  fleet  were  more  likely  to  provide 
new  information  about  fatigue  damage,  inspection  emphasis  shifted 
to  what  is  often  termed  the  fleet-leader  concept,  concentration  of  heavy 
structural  inspections  of  the  airplanes  with  the  highest  total  time.  This 
approach  not  only  provides  the  same  amount  of  information  in  the 
shortest  calendar  time,  but  identifies  the  age  at  which  fatigue  damage 
is  likely  to  appear  before  the  younger  aircraft  reach  this  age  limit. 
Thus  it  is  possible  to  perform  fleetwide  inspections  for  damage  while 
it  is  still  in  its  early  stages  and  also  to  develop  design  modifications 
that  will  extend  the  fatigue  life  of  the  structural  areas  involved.  The 
result  of  this  change  in  concept  was  much  more  rapid  extension  of 
overhaul  intervals  and  fewer  such  overhauls  performed  on  aircraft  too 
young  to  provide  the  necessary  information. 

As  the  structure  ages  in  service  the  intervals  for  many  individual 
items  will  be  adjusted  to  ensure  that  deterioration  is  found  as  early  as 
possible,  and  some  items  that  are  unacceptably  short-lived  may  have 
to  be  modified  to  increase  their  fatigue  lives.  In  general,  however,  the 
state  of  the  art  is  now  such  that  the  designer  can  often  establish  quite 
meaningful  predictions  of  fatigue  life,  and  as  these  predictions  have 
been  borne  out  by  experience,  there  has  been  a tendency  to  begin  age 
exploration  at  increasingly  higher  ages  with  each  new  design. 


CHAPTER  TEN 


completing  the  maintenance 
program 


THUS  FAR  we  have  been  concerned  with  scheduled-maintenance  tasks 
generated  by  explicit  consideration  of  failtre  consequences  and  the 
inherent  reliability  characteristics  of  each  item.  These  tasks  comprise 
the  major  portion  of  the  total  scheduled-maintenance  program,  but  not 
all  of  it.  The  set  of  tasks  identified  by  RCM  analysis  is  supplemented  by 
certain  other  scheduled  tasks  which  are  both  so  easy  to  perform  and 
so  obviously  cost-effective  that  they  require  no  major  analytic  effort, 
Five  common  categories  of  such  additional  tasks  are  zonal-installation 
inspections,  preflight  walkaround  inspections,  general  inspections  of 
external  structure,  routine  servicing  and  lubrication,  and  regular  testing 
of  functions  that  are  used  only  intermittently  by  the  operating  crew. 

Zonal  inspections,  preflight  walkarounds,  and  general  inspections 
of  external  structure  are  not  directed  at  any  specific  item  and  hence  can- 
not in  themselves  be  considered  RCM  tasks.  However,  they  often  serve 
as  a vehicle  for  specific  on-condition  or  failure-finding  tasks.  Servicing 
and  lubrication  tasks  do  in  fact  fit  RCM  decision  logic,  but  their  bene- 
fits are  so  obvious  that  the  cost  of  analysis  is  not  worthwhile.  In  con- 
trast, the  testing  of  infrequently  used  functions  merely  takes  advantage 
of  the  scheduled-maintenance  program  to  supplement  the  failure- 
reporting duties  of  the  operating  crew. 

Once  all  the  scheduled  tasks  have  been  assembled,  we  must  turn 
our  attention  to  the  problem  the  maintenance  organization  faces  in 
scheduling  and  controlling  the  accomplishment  of  the  work.  It  is  pos- 
sible, of  course,  to  schedule  each  of  the  hundreds  of  different  tasks  at 
the  optimum  interval  for  each  item.  It  may  even  be  desirable  to  do  so 
if  the  fleet  is  very  small  and  the  opportunities  for  scheduled  mainte- 
nance are  very  frequent.  In  most  cases,  however,  it  is  necessary  to  group 
the  tasks  into  ? ^irly  small  number  of  work  packages  so  that  they  can 
be  consolidated  .t  a few  maintenance  stations  and  do  not  interf  ere  with 
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shorter  intervals  than  necessary  tor  a great  many  individual  tasks,  the 
additional  cost  is  more  than  offset  by  the  overall  increase  in  efticiency. 
There  is  no  single  optimum  way  of  packaging  tasks,  since  the  overall 
cost  of  the  maintenance  process  depends  on  such  factors  as  organiza- 
tional structure,  maintenance  resources  and  facilities,  and  operating 
requirements. 

This  chapter  discusses  the  additional  work,  beyond  RCM  analysis, 
that  is  required  to  complete  an  initial  scheduled-maintenance  program. 


10  1 OTHER  SCHEDULED-MAINTENANCE  TASKS 


ZONAL- INSTALLATION  INSPECTIONS 

Zonal  inspections  are  based  on  the  three-dimensional  reference  system 
required  to  identify  the  physical  location  of  any  item  on  an  airplane. 
The  entire  airplane  is  considered  to  be  partitioned  into  discrete  spaces, 
or  zones,  usually  bounded  by  physical  features  such  as  floors,  bulk- 
heads, and  outer  skins.  The  specific  zones  in  each  type  of  airplane  are 
designated  by  the  manufacturer,  usually  at  the  design  stage,  and  are 
then  carried  through  to  all  reference  material  on  maintenance  for  that 
particular  design.  Exhibit  10,1  shows  the  zonal  reference  system  used 
for  the  McDonnell  F4J  and  Exhibit  10.2  shows  a portion  of  the  Boeing 
747  zonal  system. 

The  various  assemblies  and  connecting  lines  (wiring,  hoses,  duct- 
ing, attach  f’ttings)  of  the  airciaft  systems  that  are  in  each  zone  are  re- 
ferred to  as  zonal  installations.  In  some  cases,  such  as  the  cockpit  area,  the 
whole  zone  is  readily  accessible.  More  often,  however,  a zone  must  be 
entered  by  some  access  door  in  the  outer  surface  so  that  mechanics  can 
inspect,  repair,  or  replace  the  various  installations.  Consequently  zonal 
installations  are  subject  not  only  to  the  normal  wear  and  tear  of  use,  but 


zonal-installation  inspections 
walkaround  ’nspetions 
Kener.il  external  inspections 
ser\  icing  and  lubrication  tasks 
testing  of  rarely  used  functions 
event-oriented  inspections 
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Major  zones 

1 Kadome  and  radar  compartment 

2 Forward  fuselage 

7 Upper  right  wing 

8 Aft  fuselage  and  empennage 
•>  Upper  left  wing 

12  Left  intake  duct  and  cavity 

13  Center  fuselage 

14  Forward  cockpit 

15  Aft  cockpit 

16  Left  engine 

17  Right  engine 


220  Control  cabin  and  staterooms,  sta  220  to  sta  720 


221  Control  cabin,  left  hand 

222  Control  cabin,  right  hand 

223  Compartment  aft  of  control  cabin,  left  hand 

224  Compartment  aft  of  control  cabin,  right  hand 

225  Staterooms,  left  hand 

226  Staterooms,  right  hand 


Major  /one  200 
Upper  half  of  fuselage 


Major  /one  2(H) 

Upper  half  of  fuselage 


Major  zone  locations 


Major  zone  500 
Left  wing 


Major  zone  100 
Lower  half  of  fuselage 


Major  zone  400 
Power  plants  and  struts 


Major  zone  700 

EXHIBIT  10*2  The  zone  numbering  system  Landing  gear  and 
for  the  Boeing  747,  landing  gear  door 

(Boeing  Aircraft  maintenan, materials) 


Major  zone  600 
Right  wing 

44* 


Major  zone  300 
Empennage 


Major  zone  800 
Doors  (passenger, 
crew,  cargo) 


also  to  accidental  damage  from  the  traffic  of  mechanics  and  other  per- 
sonnel in  the  zones.  In  the  interests  of  prudence,  therefore,  a separate 
zonal  inspection  program  is  meeded  to  complement  the  program  of 
RCM  tasks. 

Although  zonal  inspections  are  dire  *ed  primarily  at  the  installa- 
tions in  each  zone,  they  also  include  general  inspections  of  those  por- 
ts ns  of  the  internal  structure  that  can  be  seen  with  the  installations  in 
place.  These  inspections  are  relatively  nonspecific  checks  on  the  secur- 
ity of  installed  items—  to  detect  loose  or  missing  parts  or  parts  that  may 
rub  against  each  other— checks  for  any  accidental  damage,  and  a quick 
survey  for  obvious  leaks.  In  some  cases  the  number  and  location  of  the 
access  doors  govern  the  amount  of  a zone  that  is  inspected.  These 
inspections  do  not  qualify  as  on-conditicn  tasks,  since  they  are  not 
directed  at  a specific  failure  mode,  except  where  leaks  have  been  de- 
fined as  a failure  condition  for  a given  item.  However,  they  are  very 
inexpensive  to  perform  and  provide  an  opportunity  to  spot  early  signs 
of  problems  developing  in  the  systems.  rhus  they  are  cost-effective  if 
they  result  in  even  a small  reduction  in  repair  costs  or  identify  a poten- 
tial failure  at  a time  that  avoids  operational  consequences. 

In  current  practice  the  intervals  assigned  to  zonal  inspections  are 
judgmental,  although  they  are  based  on  a general  consideration,  zone 
by  zone,  of  susceptibility  and  failure  consequences.  In  this  case  suscep- 
tibility refers  to  the  overall  vulnerability  of  the  installations  within  a 
zone  to  damage,  loss  of  security,  and  leaks  (which  we  can  construe  as 
the  probability  of  failure  for  the  zone),  and  failure  consequences  refers 
to  the  ultimate  effect  of  not  detecting  and  correcting  the  conditions  that 
could  be  discovered  by  a zonal  inspection.  These  effects  include  Hie 
consequences  of  a functional  failure  (even  the  absence  of  emergency 
equipment  in  the  event  of  an  emergency),  a more  advanced  potential- 
failure  stage,  or  a multiple  failure  that  might  have  been  avoided  by  the 
inspection. 

The  interval  for  some  zones  may  be  very  short.  The  cockpit  of  an 
airplane,  for  example,  contains  many  items  of  emergency  equipment, 
and  since  it  is  subject  to  heavy  traffic  by  members  of  the  operating 
crew,  the  cabin  crew,  and  the  maintenance  crew,  these  items  are  all 
susceptible  to  damage.  The  consequences  of  not  having  this  equipment 
in  position  and  serviceable  if  it  is  needed  are  also  very  serious.  These 
considei  itions  lead  to  intervals  as  short  as  2C  hours  and  never  longer 
than  200  hours  (the  usual  A-check  interval)  for  zonal  inspections  of 
this  area.  These  inspections  are  often  complemented  by  additional 
inspections  that  are  part  of  the  crow  duties.  At  the  other  end  of  the  scale, 
zones  that  contain  no  system  installations  are  inspected  at  D-check 
intervals  (20,000  hours  or  more).  These  inspections  are  for  the  sole  pur- 
pose of  looking  at  the  nonsignificant  portions  of  the  internal  structure 
within  these  zones, 
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While  the  interval?  for  zonal  inspections  are  based  on  general 
assessments,  rather  than  a comprehensive  analysis  of  specific  data,  it 
is  sometimes  helpful  to  rate  each  zone  for  susceptibility  and  conse- 
quences and  then  assign  class  numbers,  much  like  the  rating  scheme 
used  to  establish  intervals  for  structurally  significant  -'terns  (see  Section 
9.2).  The  considerations  in  rating  a zone  for  susceptibility  to  trouble 
would  include: 


► The  number  and  complexity  of  installed  items  in  the  zone 

► The  susceptibility  of  individual  items  to  deterioration  of  one  kind 
or  another  (damage  due  to  corrosion,  heat,  or  vibration,  for  exam- 
ple, will  usually  depend  on  the  location  of  the  zone) 

► The  traffic  in  the  zone  that  might  cause  damage,  including  the 
relative  frequency  of  access  for  on-condition  tasks  and  the  replace- 
ment or  repair  of  failed  items 


As  with  structural  items,  a scale  of  1 to  4 is  used  to  rate  suscepti- 
bility and  consequences  separately  for  the  zone  in  question: 


susceptibility 

High 

Moderate 

Low 

None 


consequences 

Serious 

Moderate 

Minor 

None 


rating 

1 

2 

3 

4 


In  this  case  none  means  that  there  are  no  system  installations  in  the 
zone.  Such  zones  are  still  given  a rating,  however,  since  the  zonal 
inspection  program  is  the  vehicle  that  ensures  general  inspections  of 
nonsignificant  internal  structural  items.  (Structurally  significant  items 
are  covered  by  the  basic  structure  program,  as  described  in  Chapter  9.) 
The  ratings  for  both  factors  are,  of  necessity,  a matter  of  experience  and 
judgment.  Although  consequences  are  taken  into  account,  the  evalua- 
tion is  a very  broad  one  and  is  not  based  on  detailed  examination  of  the 
reliability  characteristics  of  each  item,  as  is  the  case  in  developing  a set 
of  RCM  tasks. 

The  lower  of  the  two  ratings  is  the  class  number  for  the  zone  and 
determines  the  relative  frequency  of  zonal  inspections:  the  lower  the 
class  number,  the  shorter  the  inspection  interval  for  that  zone.  The 
intervals  themselves  depend  on  further  subjective  considerations  of  de- 
sign characteristics,  operating  environment,  and  the  flight  hours  logged 
during  a given  operating  period. 

The  zonal  inspection  program  is  usually  developed  by  a separate 
working  group,  and  the  results  must  be  integrated  with  the  scheduled 
tasks  developed  by  the  systems  and  structure  groups  to  eliminate  gaps 
and  overlaps  between  the  two  programs. 
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. CSA  r.  A tie  * a: 


Check  for  signs  of  damage  on 

1 Nose  to  wing  roof 

2 Wing  root,  engine,  wing  tip 

3 Wing  trailing  edge  and  whcelwells 

4 Aft  fuselage 

5 Empennage 


EXHIBIT  10-3  Diagram  for  a walkaround  check  on  the  Douglas 
DC-10,  performed  before  or  after  each  flight.  (Douglas  Aircraft 
maintenance  materials) 


WALKAROUND  INSPECTIONS 

Walkaround  inspections  are  general  visual  inspections  performed  at 
the  ground  level  to  detect  any  obvious  external  damage.  This  may  be 
accidental  damage  caused  by  contact  with  other  aircraft,  ground  equip- 
ment, buildings,  or  debris  thrown  up  from  the  runway,  or  it  may  be 
loose  fittings  or  leaks  from  the  various  fluid  lines.  These  checks  are 
performed  by  the  maintenance  crew  before  each  departure  from  a main- 
tenance station  and  often  incorporate  simple  on-condition  tasks,  such 
as  a check  of  the  brake  wear  indicators  and  specific  checks  of  the  struc- 
tU'ui  areas  expected  to  show  external  evidence  of  internal  structural 
damage.  There  may  also  be  independent  preflight  inspections  by  a 
member  of  the  operating  crew.  In  some  military  operations  walkaround 
checks  are  performed  both  before  and  after  each  flight. 

Walkaround  inspections  not  only  detect  failures  with  minor  con- 
sequences, but  often  provide  the  first  indication  of  an  impending  en- 
gine or  structural  failure.  A simple  diagram  like  that  in  Exhibit  10.3  is 
usually  included  in  the  maintenance  manual  to  identify  the  portions  of 
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GENERAL  EXTERNAL  INSPECTIONS 

General  inspections  of  the  external  structure  are  similar  to  the  inspec- 
tions performed  during  walkarounds,  except  that  they  include  those 
portions  of  the  structure  that  cannot  be  seen  from  the  ground.  Inspec- 
tion of  the  vertical  tail  and  the  upper  surfaces  of  the  wings  and  fuselage 
requires  the  use  of  scaffolding  that  is  part  of  the  hangar  dock.  Conse- 
quently these  inspections  are  performed  at  intervals  corresponding  to 
those  of  work  packages  that  require  hangar  facilities. 

SERVICING  AND  LUBRICATION  TASKS 

The  scheduled-maintenance  program  also  includes  the  periodic  servic- 
ing and  lubrication  tasks  assigned  to  various  items  on  the  airplane.  Ser- 
vicing includes  such  tasks  as  checking  fluid  reservoirs  and  pressures 
and  replenishing  or  adjusting  them  as  necessary,  replacing  filters, 
adding  nitrogen  to  tires  and  landing-gear  struts,  and  so  on.  Each  of 
these  tasks  could  be  generated  by  RCM  analysis  (see  Section  3.6),  and 
sometimes  they  are.  More  often,  however,  the  tasks  are  simply  scheduled 
as  recommended  by  the  aircraft,  powerplant,  or  system  manufacturer, 
since  their  cost  is  so  lew  in  relation  to  the  obvious  benefits  that  deeper 
analysis  is  not  warranted. 

All  servicing  and  lubrication  tasks  tend  to  involve  the  replace- 
ment of  consumables,  where  it  is  expected  that  the  need  will  be  time- 
related.  Although  such  tasks  are  usually  assigned  conservatively  short 
intervals,  the  tasks  themselves  are  so  inexpensive  that  effort  is  rarely 
spent  on  age  exploration  to  find  the  most  economical  interval. 

TESTING  OF  RARELY  USED  FUNCTIONS 

Much  of  the  scheduled-maintenance  program  hinges  on  the  fact  that 
the  operating  crew  will  detect  and  report  all  evident  functional  failures. 
In  some  situations,  however,  an  evident  function  may  be  utilized  infre- 
quently or  not  used  at  all  during  certain  deployment  of  the  aircraft.  Such 
functions  are  not  hidden  in  the  strict  sense  of  the  word,  since  a failure 
would  be  evident  during  the  normal  performance  of  crew  duties.  Rather, 
they  are  hidden  only  when  they  are  not  being  used.  Under  these  cir- 
cumstances the  scheduled-maintenance  program  is  a convenient  vehi- 
cle for  periodic  tests  to  ensure  their  continued  /ailability. 

This  continued  availability  is  especially  important  for  multiple- 
role  equipment  subject  to  sudden  changes  in  operational  use.  One 
obvious  example  is  an  airplane  all  of  whose  scheduled  flights  fall  in  the 
daylight  hours.  In  this  case  it  is  necessary  to  include  tests  of  the  landing 
lights,  cockpit  lights,  and  other  i'  'ms  used  for  nighttime  operation  in 
•■he  maintenance  program,  since  actual  use  of  the'"?  functions  by  the 
operating  crew  will  not  constitute  an  adequate  failure-reporting  system. 
The  inverse  of  this  situation  — the  extension  of  crew  duties  to  cover 
tests  of  certain  hidden-function  items  — usually  applies  in  any  operating 


context;  hence  it  is  taken  into  account  during  RCM  analysis  (tests  by  the 
operatin  crew  make  the  failure  evident).  However,  the  need  for  inspec- 
tion tasks  to  cover  rarely  used  functions  depends  on  the  actual  use  of 
the  equipment,  and  such  tasks  must  ordinarily  be  added  to  the  program 
on  an  individual  basis  by  each  operating  organization.  Where  the  air- 
planes in  a fleet  are  used  under  different  sets  of  operating  conditions, 
these  tasks  may  be  required  for  some  members  of  the  fleet,  but  not  for 
others. 

EVENT- ORIENTED  INSPECTIONS 

There  are  special  inspections  that  are  not  scheduled  in  the  ordinary 
sens*,  nut  mus*  be  performed  after  the  occurrence  of  certain  unusual 
events.  Typical  examples  are  hard-landing  an^  rough-air  inspections 
of  the  structure  and  overtemperature  and  ('■•erspeed  inspections  of 
engines.  These  are  all  on-eonditi.  inspections  of  the  specific  sig- 
nificant items  which  are  most  iikeiy  to  be  damaged  by  the  unusually 
severe  loading  conditions. 


10-2  PACKAGING  THE  MAINTENANCE  WORKLOAD 

letter-chock  intervals  All  the  task  intervals  we  have  discussed  so  far  have  been  based  on  the 
main .enance-package  contents  individual  requirements  of  each  item  under  consideration.  The  control 

of  these  individual  tasks  is  greatly  simplified  by  grouping  the  tasks  into 
work  packages  that  can  be  applied  to  the  entire  aircraft,  to  an  installed 
engine,  or  to  a removable  assembly.  In  many  cases  the  study  groups 
developing  each  segment  of  the  program  will  have  anticipated  the  pack- 
aging  procedure;  thus  individual  tasks  may  be  specified  for  an  inter- 
val that  corresponds  to  the  preflight  walkaround  or  to  the  A-check  or 
D-check  interval.  In  some  cases  a maximum  interval  is  specified  in 
hours  or  flight  cycles  as  well,  and  the  grouping  of  tasks  must  ensure  that 
each  task  will  be  performed  at  some  time  within  this  limit. 

Generally  speaking,  the  tasks  that  have  the  shortest  intervals  are 
servicing  tasks  and  simple  inspections  such  as  the  walkaround  checks, 
which  do  not  require  specialized  training,  equipment,  or  facilities. 
Thus  the  smaller  maintenance  packages  are  generally  called  serxhee 
checks.  A #1  service  check  may  be  a group  of  tasks  that  can  be  per- 
lormed  at  every  stop  at  a maintenance  station,  and  a heavier  #2  service 
check,  amounting  to  2 or  3 manhours  of  scheduled  work,  may  be  per- 
formed during  every  long  layover  if  the  airplane  has  flown  more  than 
20  hours  since  the  preceding  #2  service.  The  major  work  packages, 
calied  letter  checks,  are  performed  at  successively  longer  intervals  (see 
Exhibit  4.11  in  Chapter  4).  Each  letter  check  incorporates  all  the  work 
covered  by  the  preceding  checks,  plus  the  tasks  assigned  at  that  letter- 
check  interval.  Thus  each  one  requires  an  increasing  amount  of  man- 
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Although  the  intervals  for  letter-check  packages  are  customarily 
expressed  in  terms  of  operating  hours,  some  organizations  may  prefer 
to  convert  them  to  calendar  time  based  on  average  daily  use  of  the 
equipment.  Packages  would  then  be  designed  to  include  tasks  to  be 
performed  once  a day,  once  a week,  once  a month,  and  so  on.  Similarly, 
the  operator  of  a small  fleet  — say,  two  airplanes  — may  not  want  to  be 
faced  with  a very  heavy  intermittent  workload  of  two  C checks  a year, 
each  requiring  an  expenditure  of  perhaps  2,000  manhours.  He  may 
prefer  instead  to  distribute  the  C-check  tasks  among  the  more  frequent 
checks,  with  a different  group  of  C-check  tasks  performed  at  every  A 
and  B check.  It  is  also  possible  to  work  out  nightly  packages  with  equal- 
ized work  content  by  distributing  the  A and  B packages  as  well.  In  this 
case,  although  the  workload  will  be  relatively  constant,  the  actual  tasks 
to  be  performed  will  vary  greatly  from  night  to  night,  making  control 
of  their  accomplishment  more  difficult. 

Even  when  the  letter-check  packages  are  not  broken  up  in  this  way, 
their  content  will  not  necessarily  be  the  same  each  time  they  are  per- 
formed. For  example,  a task  that  has  a long  interval  but  is  not  time- 
consuming  may  be  assigned  to  one  of  the  more  frequent  letter  checks 
but  scheduled  only  for  every  second  or  every  fourth  such  check.  Con- 
versely, a group  of  tasks  that  are  especially  time-consuming  may  be 
distributed  among  successive  letter  checks  of  the  same  designation,  or 
there  may  be  items  that  are  monitored  independently  and  scheduled 
for  the  time  of  the  nearest  check  regardless  of  its  designation.  Conse- 
quently the  actual  tasks  performed  will  often  differ  greatly  for  the  same 
letter  check  from  one  visit  of  the  airplane  to  the  next. 

Usually  the  objective  in  packaging  is  to  consolidate  the  work  into 
as  few  check  intervals  as  possible  without  unduly  compromising  the 
desired  task  intervals.  Some  maintenance  organizations  attempt  to 
make  the  interval  for  each  higher  check  a multiple  of  the  lower  checks. 
This  has  the  advantage  of  simplicity,  but  the  necessity  of  maintaining 
the  geometric  relationship  penalizes  workload  scheduling.  One  method 
of  relating  each  check  to  the  next  higher  check  is  illustrated  in  Exhibit 
10.4.  In  this  case  the  intervals  are  arranged  to  overlap  as  follows: 

► The#2  service  check  includes  a #1  service  check  and  therefore 
zero-times  the  #1  check. 

► The  A check  includes  a #2  service  check  and  zero-times  it. 

► The  B check  includes  the  next  A check  due  and  zero- times  all  the 
A-check  tasks  performed. 

► The  C check  includes  the  next  B check  due  and  zero-times  all  the 
B-check  tasks  performed. 

► The  D check  includes  the  next  C check  due  and  zero-times  all  the 
C-check  tasks  performed. 


EXHIBIT  10*4  One  method  of  relating  letter-check  intervals. 

Note  that  the  time  scale  is  different  for  each  line,  and  each  check  is 
scheduled  to  include  the  lower-level  work  package  due  at  that 
interval.  The  C check  is  a special  case;  the  tasks  scheduled  for  this 
interval  are  split  into  four  different  phase-check  packages,  to  be 
performed  at  successive  B checks.  Thus  the  equivalent  of  the  first  C 
check  has  been  completed  by  the  B<  check,  and  so  on.  The  D check, 
scheduled  at  20,000  hours,  zero-times  all  phase-check  tasks 
performed  through  the  B23  check,  but  not  those  lasks  scheduled 
for  the  B,,  check. 


#l/#2  check 


Flight  hours 


#2 /A  check 


#2  #2  #2 


A/B  check 


Flight  hours 


Ai  A,  A|  A,  At  A|  A, 


Flight  hours 


B/C  check 


B|  B,  B,  Bt  Bs  B,  B,  B„  B,  B» 


C checks  accomplished  as  phase  checks 


Flight  hours 


B/C  check/  D check 


1 


Alternatively,  the  C check  might  be  divided  into  four  smaller  pack- 
ages, with  one  of  these  packages  assigned  to  each  B check.  The  check 
that  combines  B-  arid  C-check  tasks  is  often  called  a phase  check.  Whereas 
a full  C check  would  take  the  airplane  out  of  service  for  24  hours,  it 
may  be  possible  to  accomplish  a phase  check  in  an  elapsed  time  of  10 
or  12  hours.  When  the  C-check  tasks  are  distributed  in  this  way,  the 
D-check  includes  the  next  phase  check  and  zero  times  the  tasks  in  that 
phase  check. 

The  first  step  in  assembling  the  tasks  for  each  letter-check  package 
is  to  establish  the  desired  letter-check  intervals.  In  an  initial  program 
these  intervals,  like  the  task  intervals  themselves,  are  highly  conserva- 
tive. The  next  step  is  to  adjust  the  intervals  for  individual  tasks  to  cor- 
respond to  the  closest  letter-check  interval.  Whenever  possible,  poor 
fits  should  be  accommodated  by  adjusting  the  task  interval  upward; 
otherwise  the  task  must  be  scheduled  at  the  next  lower  check  or 
multiple  of  that  check.  As  an  example,  the  initial  interval  assigned  to  a 
corrosion-control  task  for  the  internal  fuselage  lower  skin  of  the  Boeing 
747  was  9,000  hours.  The  inspection  is  essential  to  protect  the  bilge  areas 
of  the  plane  from  corrosion,  but  this  interval  would  have  necessitated  a 
separate  visit  to  the  maintenance  base  for  a single  task.  Since  the  inter- 
val represented  a conservative  value  in  the  first  place,  some  flexibility 
was  considered  allowable,  and  it  was  decided  that  the  interval  could 
safely  be  extended  to  11.000  hours,  which  coincided  with  a group  of 
tasks  scheduled  fqr  a midperiod  visit  at  half  the  D-check  interval. 

Exhibit  10.5  shows  a partial  list  of  the  scheduled  tasks  included  in 
each  letter  check  for  the  Boeing  747.  Note  that  this  program  employed 
phase  checks  in  place  of  a C-check  work  package.  When  phase  checks 
are  used  there  is  no  real  C check,  in  the  sense  of  a group  ot  tasks  all  of 
which  are  to  be  performed  at  the  same  time.  It  is  helpful  to  refer  to  a 
phantom  C check,  however,  to  develop  the  content  of  the  phase-check 
packages,  and  the  tasks  of  the  phantom  C check  have  the  desired  inter- 
val if  they  are  performed  at  every  fourth  phase  check. 

Exhibit  10.6  shows  sample  tasks  from  a somewhat  different  pack- 
aging scheme  for  the  McDonnell  F4J.  This  program  was  designed  for  a 
military  context,  but  it  includes  several  of  the  packaging  features  found 
in  its  commercial  counterpart.  For  example,  the  work  package  designated 
as  the  maintenance  check  is  actually  spread  out  over  six  lower-level 
phase  checks,  much  like  the  series  of  phase  checks  performed  at  the 
B-check  interval  on  the  Boeing  747. 

Both  the  task  intervals  and  the  package  intervals  in  an  initial  pro- 
gram are  subject  to  age  exploration.  Usually  the  intervals  for  individual 
tasks  are  increased  by  extending  the  package  intervals,  as  discussed  in 
Section  4.6.  When  a maximum  interval  is  identified  for  a specific  task, 
the  task  will  either  be  assigned  to  a different  letter-check  package  or, 
if  it  is  a task  that  controls  the  rest  of  the  package,  the  check  interval  will 

be  frozen.  SECTION  10-2  287 


EXHIBIT  10  5 I’.irti.il  m.unU-n.imt’p.uk.iv.c  co'-lents  lor  lino  ,nul 
h.iso  m.iinton.iiuo  on  the  Boeing  747.  (United  Airlines) 


LINE  MANTTNANCE 

#1  SERVICE  After  each  completed  flight,  average  4 
flight  hours 

Review  flight  log 

Perform  walkaround  check 

#2  SERVICE  livery  20  flight  hour:, 

Perform  #1  service 

Check  tires  and  brake  wear  indicators 
Check  constant-speed-drive  oil  quantity 
Check  engine  oil  quantify 
Check  exterior  lights 
Clear  deferred  flight-log  items 

A CHECK  At  overnight  layover,  limit  125  flight  hours 

Perform  #2  service 

Check  essential  and  standby  power 

Check  battery,  auxiliary  power  unit 

Check  cool-gas  generator  freon  level 

Check  portable  fire  extinguisher 

Check  hydraulic-system  differential-pressure 
indicator 

Perform  general  visual  inspection  of  landing  gear 
Inspect  landing-gear  shock  struts 

Check  truck-beam  bumper  pads,  main 
landing  gear 

Inspect  cockpit  zone 

A5  check  (every  fifth  A check) 

Lubricate  landing  gear 


BASE  MAINTENANCE 

B CHECK  Limit  900  flight  hours 

Perform  next  A check  dtte 

Check  hydraulic-supply  fire-shutoff  valve 

Lubricate  main  cargo  door 

Check  hydraulic  accumulator 

Lubricate  flap-transmission  universal  joint 

Lubricate  midflap  carriage  roller 

Inspect  wing  fixed  trailing-edge  upper  panel 

Inspect  wing  trailing-edge  flap  track 

Inspect  engine  second-stage  compressor  blades 

Test  engine  and  fuel-control  trim 

Check  and  service  engine  main  oil  screen 

B2  check  (every  second  B check) 

Check  magnetic  plug,  engine  main  3 and  4 bearings 
Inspect  fire-extinguisher  pylon  support 

Inspect  body  station  2360  pressure  bulkhead,  aft 
side,  for  corrosion 

Check  and  service  magnetic  plug,  auxiliary 
power  unit 

Test  and  service  battery  and  charger,  inertial 
navigation  system 

B3  check  (every  third  H check) 

Inspect  crank,  latch,  and  torque  tube,  main  entry 
door  (limit  3,200  flight  hours) 

C CHECK  Performed  as  ph*r  checks  over  four  successive 
B checks,  limit  3,600  flight  hours 

Perform  next  B check  due 


Intensive  inspection  of  outboard  leading-eo  ge  flap 
actuators,  attach-fitting  links,  and  bellcranks 

Check  operation  of  constant -speed-drive 
underspeed  switch  and  frequency  drift 

MAINTENANCE  CHECK  At  500  flight  hours;  performed 
over  six  phase  checks,  or  400  flight  hours 

External  visual  inspection  of  critical  zones 
Internal  visual  inspection  of  critical  zones 
Check  hydraulic-system  filters;  replace  as  necessary 
Service  hydraulic  system 

Inspect  control  cables  for  chafing,  integrity,  and 
rigging 

Inspect  control-system  mechanism;  clean  and 
lubricate  js  required 

Replace  air  filters  on  electronic  cooling-air  system 

Test  operation  of  bell-mouth  seal  system 

Test  operation  of  IFR  emergency-extend  system 

Check  nose-landing-gear  centering  system 
(strut  extended) 

Intensive  inspection  of  nose-landing-gear  extend 
system 

Lubricate  nose-landing-gear  bearing,  doors,  and 
uplocks 

Intensive  inspection  of  critical  structural  items 
Lubricate  night  controls 

Inspect  and  test  operation  of  boundary-layer- 
control  valves  and  systems 

Check  operation  of  seal  trim  system 

Intensive  inspection  of  stabilizer  actuator,  rod,  and 
actuator  fitting 

Test  operation  of  canopy  jettison  system 
At  300  days  (ranges  from  200  to  600  flight  hours) 

Remove  ejection  seat  for  limited  functional  test; 
check  and  service  (corrosion  protection)  as 
required 

DEPOT  VISIT  Limit  960  flight  hours  or  42  months 
Inspect  and  sample  structural  items 


Remove  ejection  seat  and  perform  general  visual 
inspection  of  cockpit 

Repaint  aircraft 
Inspect  control  cables 
Remove  landing  gear 
Replace  flight-control  bearing 
Check  component  hidden  functions 

SPECIAL  CONDmONS 

Engine  removal,  scheduled  at  600  flight  hours  or 
on-condition 

Check  boundary-layer-control  bleed-air  check  valve 
Intensive  inspection  of  engine  mounts 
Perform  visual  check  of  engine  firewall 

Before  carrier  duty 

Check  canopy-actuator  shear-pin  gap 
Check  operation  of  canopy  emergency  jettison 
After  75  arrested  landings 

Perform  magnetic-particle  inspection  of  axle/brake- 
flange  fillets,  main  landing  gear 
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CHAPTER  ELEVEN 

the  use  of  operating  information 


ACE  EXPLORATION,  the  process  of  determining  the  reliability  character- 
istics of  the  equipment  under  actual  operating  conditions,  begins  the 
day  a new  airplane  enters  service.  This  process  includes  monitoring  the 
condition  and  performance  of  each  item,  analyzing  failure  data  to  iden- 
tify problems  and  their  consequences,  evaluating  inspection  findings 
to  adjust  task  intervals,  and  determining  age- reliability  relationships 
for  various  items.  Since  the  decision  process  that  led  to  the  initial 
scheduled-maintenance  program  was  based  on  prior-to-service  infor- 
mation, the  program  will  reflect  a number  of  default  decisions.  As  oper- 
ating experience  begins  to  produce  real  data  on  each  item,  the  same 
decision  logic  can  now  be  used  to  respond  to  unanticipated  failures, 
assess  the  desirability  of  additional  tasks,  and  eliminate  the  cost  of 
unnecessary  and  overintensive  maintenance  resulting  from  the  use  of 
default  answers. 

In  the  preceding  chapters  we  considered  certain  aspects  of  age 
exploration  as  they  relate  to  task  intervals  and  the  intensive  study  of 
individual  item1',  in  the  systems,  powerplant,  and  structures  divisions. 
In  a broad  sense,  however,  age  exploration  encompasses  all  reliability 
information  on  the  aircraft  as  it  ages  in  service.  Thus  the  heart  of  an 
ongoing  maintenance  program  is  the  collection  and  analysis  of  this 
information,  either  by  the  engineering  organization  or  by  a separate 
292  applications  group. 
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Change  oil,  constant-speed  drive  unit 

Replace  aircraft  battery  and  auxiliary-power 
battery  and  test  thermoswitch 

Check  external-power  receptacles 
Inspect  cockpit  equipment  and  installations 

Check  oil  quantity  and  service  horizontal-stabilizer- 
control  drive  unit 

Inspect  wing  trailing-edge  sections 

Perform  separate  operational  check  of  each 
flight-control  hydraulic  system 

Treat  wheelwell  cables,  main  landing  gear,  for 
corrosion  protection  (limit  4,000  flight  hours) 

Inspect  floor,  main  cabin  and  upper  deck 
Inspect  engine  pylons 

Inspect  rudttt.  stabilizer  hinge-support  fitting 
Inspect  cabin  interior 

C2  check  (every  second  C check  or  every  eighth  B check) 

Inspect  access  door,  electronic  and  air-conditioning 
bay 

Lubricate  torque  tube  and  sprocket,  main  entry 
door 

Test  heat-override  valve,  aft  cargo  compartment 

Test  electronic-equipment  airflow  detector 

Test  autothrottle  limit 

Lubricate  flight-control-surface  hinges 

Lubricate  trailing-edge  flap  track 

Inspect  fillet-fairing  support  structure  for  corrosion 

Inspect  lower  rudder,  upper  closing  rib 

C4  check  (every  fourth  C check) 

Inspect  tail-cone  intercostals 


C5  check  (every  fifth  C check) 

Clean  electronic  racks 

Service  alternate  drive  motor,  wing  trailing-edge 
flap 

C x check  < rt  nearest  C check) 

Inspect  internal  fuselage  lower  skin  for  corrosion 
and  apply  LPS  oil  (12,000  hours  start,  repeat  at 
9,000  hours  ± 2,000  hours) 

D CHECK  Limit  25,000  flight  hours 
Perform  next  phase  check  due 
Inspect  and  sample  structural  items 
Refurbish  cabin 
Repaint  aircraft 

Inspect  rudder  and  elevator  cables 

Test  aileron  and  aileron-trim  system  (also  test  all 
other  flight-control  systems) 

Test  fire-extinguishing  system 
Inspect  all  ac  power  wiring 
Check  flight-compartment  access  doors 
Inspect  cables,  ‘uselage  pressurized  areas 

Inspect  spare-engine  aft  support  fitting  for 
corrosion 

Replace  and  rework  landing-gear  parts,  oxygen 
regulators,  and  other  specified  items 


EXHIBIT  10-6  I’.uti.il  maintenance contents  lor  maintenance 
peitonned  on  tin*  Mcllonneli  I4|,  (United  Airlini'sl 


TURNAROUND  Average  every  2 flight  hours 

Clear  pilot  squawk  sheet 

Perform  walkaround  chock  for  damage 

Intensive  inspection  of  torque-arm  assembly, 
nose  landing  gear 

Check  fluid  quantity,  hydraulic  reservoirs,  and 
service  as  required 

Check  operation  of  boundary-layer-control 
airflow  at  one-half  and  full  flaps 

Check  pressure  gage,  emergency  oxygen 
supply 

DAILY  Every  day  aircraft  is  on  operational  status 

Service  liquid-oxygen  converter  (pilot/radar 
operator  oxygen  supply) 

Check  pressure  gages,  ••neiimatic-system 
emergency  bottles 

Check  tire  condition,  nose  landing  gear 

Check  strut'  se  landing  gear  and  main 
landing  gear,  ...  J service  as  required 

Check  brake  condition,  main  landjng  gear 

Check  pressure  gages,  hydraulic-systein 
accumuh.  r 

Check  visual  indicators,  personnel  emergency 
equipment 

Check  boundary-layer-control,  bellows,  and 
outer-wing  connectors 

Geiieril  visual  inspection  of  lower  inboard  and 
outboa’  d wing  surface 

General  visual  inspection  of  wingfold  area 
Check  engine  oil  quantity 

SPECIAL  At  7 days  when  aircraft  is  on  operational 
. tatus 

Check  chemical  dryers 

Clean  water  drain  holes,  lower  forward  fuselage 

Inspect  drag  chute  for  damage  (if  deployed  in 
last  7 days) 

Service  constant-speed  drive  and  check  for 
leaks 


At  14  days  when  aircraft  is  on  operational  status 

Lubricate  aileron,  spoiler,  flap  hinges,  speed-brake 
hinges,  landing  gear,  and  gear  doors 

At  .10  flight  hours;  when  due,  combine  with  lower  check 
Check  operation  of  transducer  probe  heater 

Check  angle-of-attack  sensor  and  signal  quality  to 
air-data  computer 

Check  operation  of  accelerometer 

At  ’'S  days  when  aircraft  is  on  operational  status 
intensive  inspection  of  wing  rear  spar 
Intensive  inspection  of  lower  torque-box  skin 
Intensive  inspection  of  aileron-actuator  access  door 

Intensive  inspection  of  canopy  sill  (underside) 
for  corrosion 

Intensive  inspection  of  upper  longeron 

PHASE  CHECK  At  80  flight  hours;  six  checks  per  500-hour 
cycle 

Lubricate  doors,  uplocks,  ring,  and  torque  collar, 
main  Unding  gear 

Lubricate  wingfold  mechanisms 
Lubricate  ejection-seat  components 

Inspect  spoiler  and  aileron  control-cylinder  rods, 
bolts,  and  nuts 

Inspect  wing  upper  and  lower  skin 

Inspect  arresting  hook 

Check  operation  of  refueling  shutoff  valves 

At  160  flight  hour (every  second  phase  check) 

Intensive  inspect  ion  of  trunnion  fitting,  nose 
landing  gear 

Intensive  inspection  of  aileron  lower-closure  skin 

Check  operation  of  emergency  UHF  transmitter/ 
receiver 

Lubricate  landing-gear  control  handle 

At  240  flight  hours  'every  third  phase  check) 

Check  operation  of  landing-gear  emergency 
extension  system 
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TYPICAL  INFORMATION  SYSTEMS 


Although  intensive  age  exploration  of  individual  items  plays  a direct 
role  in  assessing  their  maintenance  requirements,  this  is  only  one  of 
many  sources  of  relu  ility  information.  In  the  case  of  airplanes  it  is 
also  not  the  information  of  most  immediate  concern.  In  order  to  respond 
to  unanticipated  problems,  an  operating  organization  must  have  some 
means  of  identifying  those  that  require  first  priority.  On  this  basis  the 
airline  industry  ranks  the  various  types  of  reliability  data  according  to 
the  priority  of  failure  consequences  and  is  generally  concerned  with 
information  in  the  following  order: 

► Failures  that  could  nave  a direct  effect  on  safety 

► Failures  that  have  a direct  effect  on  operational  capability,  either 
by  interrupting  the  flight  or  by  restricting  its  continuation 

► The  failure  modes  of  units  removed  as  a result  of  functional  failures 

► The  causes  of  potential  failures  found  as  a result  of  on-condition 
inspections 

► The  general  condition  of  unfailed  parts  in  units  that  have  failed 

► The  general  condition  of  parts  in  units  removed  specifically  for 
sampling  purposes 


types  of  information  systems 
the  Uaes  of  operating 
information 
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This  order  of  importance  is  consistent  with  the  priorities  underlying 
the  RCM  distinctions  between  necessary  and  economically  desirable 
scheduled-maintenance  tasks. 

The  data  needed  to  manage  the  ongoing  maintenance  program 
must  usually  be  extracted  from  a number  of  information  systems,  some 
of  which  were  established  for  purposes  quite  different  from  that  of 
supplying  data  to  maintenance  analysis.  As  a result,  it  is  sometimes  a 
laborious  process  to  assemble  all  the  information  elements  needed  for 
maintenance  decisions.  Most  information  systems  can  be  classified 
according  to  three  basic  characteristics: 

► Event-oriented  systems  collect  and  record  data  whenever  an  unde- 
sirable event  occurs.  Such  systems  range  from  a plan  for  immediate 
telephone  communications  between  designated  executives  in  the 
event  of  any  failure  that  involves  safety  considerations  to  a system 
for  recording  unsatisfactory  conditions  found  during  scheduled 
inspections. 

K Monitoring  systems  summarize  data  about  some  aspect  of  the  oper- 
ation during  a specified  calendar  period.  The  data  are  extracted 
from  event-oriented  systems  and  are  summarized  in  reports  such 
as  the  monthly  premature-removal  report,  the  monthly  delay-and- 
cancellation  report,  and  soon.  These  reports  are  prepared  regardless 
of  the  occurrence  of  any  reportable  events;  thus  they  give  positive 
information  about  the  absence  of  problems  as  well  as  information 
on  any  problems  that  have  occurred. 

► Analysis  systems  not  only  collect,  summarize,  and  report  data,  but 
also  give  the  results  of  some  special  analysis  of  the  information. 
This  might  be  an  actuarial  analysis,  a determination  of  the  20  items 
with  the  highest  premature-removal  rates,  or  some  other  specific 
analysis. 

One  of  the  most  important  information  systems  is  the  airplane 
flight  log.  The  primary  purpose  of  this  log  is  to  record  the  operating  and 
maintenance  history  of  each  airplane.  Such  information  s the  flight 
number,  the  names  of  the  crew  members,  fuel  on  board  at  takeoff,  oil 
on  board  at  takeoff,  takeoff  time,  landing  time,  and  observed  engine 
performance  parameters  and  vibration  levels  are  always  recorded.  In 
addition,  any  instances  of  unsatisfactory  conditions  observed  during 
the  flight  are  entered  on  the  log  sheet  to  alert  the  maintenance  organi- 
zation to  the  need  for  corrective  maintenance  (see  Exhibit  11.1).  The 
maintenance  crew  also  uses  the  log  to  record  the  repairs  made  as  a result 
of  these  reports,  to  record  the  performance  of  scheduled  tasks,  and  by 
signing  a maintenance  release,  to  certify  the  airplane's  airworthiness. 
Copies  of  recent  log  sheets  are  kept  in  the  airplane  for  review  by  the 
operating  crew,  and  the  older  sheets  are  sent  to  a permanent  central  file. 


EXHIBIT  it  • I Log  sheet  from  an  airplane  flight  log.  The  flight  log 
shows  any  unsatisfactory  conditions  reported  by  the  operating  crew, 
as  well  as  the  corrective  aclion  taken  by  the  maintenance  crew. 
(United  Airlines) 
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Another  event-oriented  system  is  the  aircraft  maintenance  infor- 
mation system,  which  keeps  track  of  all  the  scheduled-maintenance  tasks 
performed  at  each  line  station  and  the  manhours  required  for  each  one, 
as  well  as  the  time  spent  on  corrective  work  as  a result  of  crew-reported 
failures  or  conditions  discovered  during  performance  of  the  scheduled 
tasks.  Some  cf  the  larger  airlines  have  computerized  this  system  and 
enter  the  log-book  failure  reports  into  it  as  additional  data.  This  allows 
a maintenance  station  to  determine  what  deferred  repairs  are  going  to 
be  necessary  for  an  arriving  airplane.  However,  this  real-time  on-line 
system  is  still  in  the  early  stages  of  development. 

The  daily  operations  report  is  both  a monitoring  and  an  event- 
oriented  system.  Among  other  things,  it  provides  a brief  narrative 
description  of  any  unusual  flight  incident,  flight  interruption,  delayed 
departure,  or  cancelled  flight  that  has  occurred  during  the  preceding 
24-hour  period. 

Data  associated  with  premature  removals  are  reported  by  means  of 
identification  and  routing  tags,  another  event-oriented  system.  A tag 
attached  to  the  unit  that  is  removed  records  the  removal  information 
and  information  on  the  replacement  unit  and  then  routes  the  removed 
unit  back  to  a maintenance  base  (see  Exhibit  11.2).  The  tag  stays  with 
the  unit  throughout  the  repair  process  and  is  then  filed  for  future  ref- 
erence. When  a major  assembly,  such  as  an  engine  or  a landing  gear, 
reaches  the  shop  for  rework,  additional  tags  are  generated  for  any  sub- 
assembly  that  is  removed  and  routed  to  another  shop. 

Some  of  the  event-oriented  systems  are  complemented  by  moni- 
toring systems.  For  example,  data  are  extracted  periodically  from  the 
identification  and  routing  tags  to  show  the  premature-removal  rates 
of  significant  items.  Similarly,  data  extracted  from  the  daily  operations 
report  for  the  monthly  summary  of  delays  and  cancellations  identify 
the  associated  failures  on  a periodic  basis. 

There  are  additional  information  systems  designed  to  ensure  that 
there  will  be  a record  of  all  adverse  findings  during  every  inspection 
performed,  as  well  as  a record  of  any  corrective  work  done  as  a result 
of  such  findings.  While  this  information  is  available  on  all  items  subject 
to  scheduled  tasks,  the  data  may  be  difficult  to  retrieve.  For  this  reason 
it  is  common  practice  to  designate  certain  units  as  time-extension  samples 
when  an  increase  in  task  intervals  is  being  considered  and  to  pay  par- 
ticular attention  to  data  gathering  for  these  samples. 

In  many  cases  it  is  relatively  easy  to  review  the  data  and  decide 
whether  a change  in  the  scheduled-maintenance  program  would  be 
desirable.  If  it  takes  a long  time  to  repair  a certain  type  of  failure,  and 
scheduled  flights  must  therefore  be  cancelled,  the  economic  justifica- 
tion for  a preventive  task  is  apparent- particularly  if  the  failure  is  one 
APPLICATIONS  that  occurs  frequently.  And  if  no  preventive  tasks  are  applicable  to 
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EXHIBIT  1 1 '2  An  identification  and  routing  tag,  showing  the  unit 
removed  from  the  airplane,  the  reason  for  removal,  verification  of  the 
problem,  and  disposition  of  the  unit.  (United  Airlines) 

an  item,  there  is  no  point  in  adding  them,  regardless  of  the  operational 
consequences  of  the  failures  (there  may,  of  course,  be  a point  in  rede- 
signing the  item).  Sometimes,  however,  when  a functional  failure  might 
or  might  not  have  operational  consequences,  depending  on  the  circum- 
stances, it  may  be  necessary  to  retrieve  info.Tnation  from  a number  of 

different  sources  to  gain  a clear  picture  of  the  problem.  SECTION  ll*i  297 
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EXHIBIT  II- J Premature-removal  "top-twenty"  report.  This 
information,  extracted  from  the  monthly  premature- removal  report, 
lists  data  on  the  20  items  with  the  highest  premature-removal  rates. 
Note  that  this  report  also  shows  the  number  of  premature  removals 
that  were  verified  as  functional  failures.  (United  Airlines) 


TOP  TWENTY  PREMATURE  REMOVALS 


type  of  aircraft  Boeing  727 


period  April-June  1978 


premature- 

removal  maintenance 
rank  records  no.  name 


prematuie- 
no.  of  removal  rate 
premature  (per  1,0CC 
remova.s  unit  hours) 


no.  of  percent  of 
verified  verified 

failures  failures 


1 

21392 

Control,  cabin  pressure 

56 

3.28 

18* 

32 

2 

43132 

Indicator,  WX  radar 

189 

1.85 

66* 

35 

3 

42210 

Receiver,  VHF  navigation 

71 

1.68 

5* 

7 

4 

25342 

Dispenser,  coffee  maker 

368 

1.59 

171* 

46 

5 

43122 

Accessory  unit,  WX  radar 

161 

1.58 

14* 

9 

6 

43112 

Transmitter/ receiver,  WX  radar 

151 

1.48 

73 

48 

7 

41701 

Indicator,  standby  attitude  (SAI) 

13 

1.28 

4 

31 

8 

23711 

Recorder,  cockpit  voice 

124 

1.22 

82 

66 

9 

41134 

Computer,  air  data 

31 

1.14 

21 

68 

10 

42252 

Receiver,  VHF  nav/glidescope 

22 

1.08 

10* 

45 

11 

31212 

Recorder,  flight  data 

104 

1.02 

40 

38 

12 

33496 

+ Light,  anticollision 

10 

.98 

5* 

50 

33495 

— Included  with  33496 

13 

27113 

Channel-pitch  control 

26 

.96 

6 

23 

14 

43511 

Transrnitter/receiver,  radi , altimeter 

95 

.93 

23 

24 

15 

23311 

Amplifier,  public  address 

66 

.88 

12* 

18 

15 

23501 

Accessory  unit,  audio 

15 

.88 

1* 

7 

i < 

22305 

Controller,  pedestal 

64 

.86 

23* 

36 

17 

41294 

Battery  box,  SAI  system 

87 

.85 

46* 

53 

18 

:135 

Altimeter,  electric 

17 

.84 

3* 

18 

19 

21329 

Controller,  cabin  pressure  auto 

61 

.82 

19* 

31 

20 

41193 

Computer,  air  data 

59 

.79 

16* 

27 

Shop  data  incomplete. 


Suppose,  for  example,  that  the  daily  operations  report,  or  perhaps 
the  monthly  summary  of  delays  and  cancellations,  indicates  that  failures 
of  a particular  system  item  are  causing  a fairly  large  percentage  of 
delayed  departures.  Under  these  circumstances  the  maintenance  organ- 
ization would  investigate  to  see  whether  these  consequences  can  be 
alleviated.  The  first  step  is  to  review  the  delay-and-cancellation  sum- 
maries for  the  past  several  months  to  obtain  a broader-based  statistic 
on  the  delays.  It  is  then  necessary  to  go  back  to  the  daily  operations 
report  to  find  out  the  actual  length  of  the  delay  and  the  assembly  or 
assemblies  involved  in  most  of  the  failures. 

Once  the  dimensions  of  the  delay  problem  have  been  established, 
the  next  step  is  to  determine  whether  failures  are  evident  to  the  oper- 
ating crew,  and  if  so,  what  is  being  reported  in  the  flight  log  as  evidence 
of  failure.  It  is  always  possible  that  the  definitions  of  satisfactory  per- 
formance are  so  demanding  that  the  cost  is  greater  than  the  benefits. 

The  log  sheets  may  also  supply  some  information  on  the  assemblies 
that  are  failing,  but  the  best  source  of  this  information  is  the  aircraft 
maintenance  information  system.  This  system  will  show  whether  cor- 
rective maintenance  involves  replacing  failed  units,  and  if  so,  the  fre- 
quency of  replacement  and  the  line-station  cost  of  the  work.  The  fre- 
quency of  repairs  may  be  much  higher  than  the  frequency  of  operational 
delays;  for  example,  failures  on  airplanes  inbound  to  overnight  layovers 
would  have  no  operational  consequences. 

If  the  failures  do  itwolve  the  removal  of  units,  the  monthly  pre- 
mature-removal  report  will  provide  an  overview  of  the  frequency  of 
premature  removals.  This  report  also  shows  the  proportion  of  pre- 
mature removals  that  are  verified  failures  (see  Exhibit  11.3).  If  there 
are  numerous  unverified  failures,  better  troubleshooting  methods  are 
needed.  A check  of  the  present  methods  requires  reference  to  the  iden- 
tification and  routing  tag  system,  shop  records,  and  engineering  records. 

A quick  analysis  of  these  records  will  also  show  whether  one  or  more 
dominant  failure  modes  account  for  a large  proportion  of  the  failures. 

In  either  case  the  shop  cost  records  must  be  examined  to  determine  the 
material  and  labor  costs  incurred  in  repairing  failed  units. 

With  this  information,  together  with  a figure  for  the  imputed  cost 
of  delays,  it  is  now  possible  to  return  to  the  RCM  decision  diagram  to 
examine  possible  cost-effective  tasks.  If  none  can  be  found,  or  even  if 
there  are  applicable  and  effective  tasks,  the  desirability  of  design 
changes  to  improve  the  inherent  reliability  of  the  item  should  also  be 
investigated.  One  supplementary  bit  of  information  will  help  substan- 
tiate the  cost  effectiveness  of  a design  change  — the  reduction  in  spare 
replacement  units  that  would  result  from  a Ic  • premature-removal 
rate.  This  information  requires  a special  analy^  by  the  inventory- 
planning organization.  SECTION  1 1 - 1 299 
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A complete  analysis  of  this  type  has  required  reference  to  eight 
different  information  systems  (see  Exhibit  11.4).  In  time  the  use  of 
integrated  data  bases  will  make  it  easier  to  assemble  the  relevant  data. 
Fortunately,  however,  not  all  maintenance  decisions  require  this  com- 
plete a study.  Indeed,  the  need  for  a formal  study  can  often  be  deter- 
mined fairly  simply  by  means  of  the  decision  diagram  discussed  in 
Section  4.4. 


EXHIBIT  11*4  An  example  of  the  information  systems  that  might  be 
consulted  to  determine  the  desirability  of  introducing^  change  in  the 
scheduled- maintenance  program. 
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information  needed 


source  of  data 
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Identification  of  system  whose 
failures  may  be  causing  operational 
delays 

Frequency  of  delays 

\ 

\ 

\ Length  of  delays 

The' failure  evidence  that  is 
apparent  to  operating  crews 

Identification  of  assembly  or  part 
causing  a large  proportion  of 
system  failures 

Determination  of  whether  repair  at 
line  station  requires  replacement 
(premature  removal)  of  unit 

Frequency  of  unit  replacement 


Cost  of  corrective  maintenance 
(labor)  at  Une  station 

Cost  of  corrective  maintenance 
(labor  and  materials)  at 
maintenance  base 

Identification  of  failure  modes  and 
failure-mode  dominance 

Desirability  of  modifying 
scheduled-maintenance  program 

Effect  of  failure  rate  on  spare-unit 
requirements 

Desirability  of  design  change 
(product  improvement) 


Daily  operations  report  or  monthly 
summary  of  delays  and 
cancellations 

Monthly  summary  of  delays 
and  cancellations 

Daily  operations  report 
Flight-log  sheets 

Daily  operations  report  and 
aircraft  maintenance  information 
system 

Aircraft  maintenance  information 
system 

Aircraft  maintenance  information 
system  and  monthly  premature- 
removal  report 

Aircraft  maintenance  information 
system 

Shop  cost  records 

Shop  records,  identification  and 
routing  tags,  special  analysis 

RCM  analysis 
Inventory-planning  system 
Special  analysis 
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Many  analyses  are  performed  routinely  as  a part  of  age  exploration. 
The  engine  data  recorded  in  the  flight  log;  for  example,  are  fed  into  a 
computer  after  each  flight  and  are  analyzed  on  a daily  basis.  This  com- 
puter analysis  reduces  the  observed  data  to  "standard-day"  reference 
conditions,  compares  the  performance  of  each  engine  with  that  of  other 
engines  on  each  airplane  for  a specific  flight,  and  compares  each  engine 
with  its  prior  history.  The  observed  data  are  weighted  so  that  small 
changes  in  recent  information  receive  more  attention  than  small  changes 
between  recent  and  older  performance,  and  statistical-significance 
tests  are  used  to  identify  engines  whose  performance  parameters  re- 
quire further  investigation. 

This  program  of  flight-log  monitoring  is  useful  in  detecting  minor 
variations  and  trends  that  would  not  be  apparent  to  the  operating  crew. 
The  process  cannot  pinpoint  the  exact  cause  of  the  variation,  and  the 
readings  can  be  affected  by  instrument  changes,  since  each  instrument 
has  different  calibration  errors.  However,  flight-log  monitoring  does 
prompt  investigations  that  may  lead  to  engine  removals  (usually  less 
than  5 percent  of  the  total  premature-removal  rate),  and  on  this  basis  it 
light  be  considered  a form  of  on-condition  inspection. 

Two  other  data  elements  that  are  monitored  by  trend  analysis  are 
in-flight  engine  shutdowns  and  premature  removals.  Exhibit  11.5  shows 
a typical  report  generated  by  a shutdown  event  and  a summary  report 
of  all  shutdowns  for  that  type  of  engine  during  a given  month.  Exhibit 
11.6  shows  long-term  trends  in  shutdown  and  premature-removal  rates 
for  the  same  engine.  Premature-removal  rates  are  summarized  monthly 
for  all  significant  items,  usually  with  a supplementary  report  like  that 
in  Exhibit  11.3,  listing  the  items  with  the  highest  removal  rates.  These 
summaries  do  not  identify  the  failure  cou-equences,  but  they  do  show 
w^  terns  are  the  least  reliable. 

mature-removal  data  are  used  r ot  only  for  actuarial  analysis, 
but  .o  to  help  identify  chronic  maintenance  problems,  failures  that 
are  d in  a system  and  are  not  corrected  by  replacing  the  items  that 
seem  to  be  causing  the  problem.  Removal  data  are  fed  into  a computer 
that  retains  a certain  amount  of  recent  history,  usually  covering  a period 
of  about ; uonth.  New  data  are  compared  with  the  stored  history  and 
an  alert  it  given  if  an  item  has  more  than  the  expected  number  of  re- 
movals <*  ’ring  the  period  covered.  This  alert  report  identifies  the  air- 
planes . . have  had  repeated  removals  and  also  notifies  the  mainte- 

nance organization  that  special  troubleshooting  effort  is  needed  to 
locate  the  source  of  the  problem.  Other  systems  for  identifying  air- 
planes with  chronic  problems  use  the  flight  log  as  a data  base.  All  such 


flight-log  monitoring 
chronic  maintenance  problems 

analysis  of  premature-removal 
data 

actuarial  analysis 

effect  of  an  overhaul  limit 
on  age  exploration 
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plane  no.  S042U  station  8LC  dal*  2/1/76 

Incident  no.  061400  unechsc,  landing 

delay  delay  time  cancellation  substitution 

flight  In/datt  flight  out/date 

plane  no.  dispatched  in-flight  stage  CmlM 

primary  reap,  station  ayitem  79  engine  in-flight  shutdown  Yea 

problem  and  repair,  parts  replaced  (include  part  nos.) 

Log  report:  Precautionary  shutdown  no.  1 eng  sect  find  oil  preen,  Lite  on, 
hi  temp.  Windmilled  25  min,  maintained  20  pel. 

Action:  SLCMM  refilled  oil  tank,  ran  20  min,  no  oil  lose.  No  external  oil 
leakage  found.  Found  oil  qty  gage  atuck  at  8.5.  Swapped  gagee  and  oil 
qty  checked  OK  after  filling  oil  tank.  Accessory  case  strainer,  scavenge 
oil  screen,  main  oil  screen  ail  checked  OK.  Deferred  SFOMM. 


EXHIBIT  I1'5  Lpft,  a typical  in-flight  shutdown  report  showing  the 
details  for  that  event,  and  right,  a monthly  summary  of  the  in-flight 
shutdowns  for  that  type  of  engine.  (United  Airlines) 


EXHIBIT  II  '6  Shutdown  and  premature-removal  rates  plotted  over  an 
13-month  period  for  the  Pratt  & Whitney  JT3D-3  engine  on  the 
Douglas  DC-8.  (United  Airlines) 
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tyg»  of  aircraft  Dougin  DC-9  period  Fabruary  1979 

typo  of  angina  Pratt  k.  Whitney  JTSD-l/S/SB 


no. 

plant, 

,B8 

date, 

station 

engine 

**• 

retton  for  shutdown 

line  action 

findings 

i 

8042U 

1 

2/7 

SLC 

20681 

High  oil  temptraturc 

Engine  change 

Undetermined 
critical  other  X 

2 

8061 U 

2 

2/11 

ORD 

MSftt 

Engine  oil  tempera  hue 
pegged,  found  rear 

Engine  change 

Gearbox  full  of  oil; 
severe  cavitation  eroeion 

8044U 

3 


2/18 

JFK 


booring  aool  failed 


16920  Low  oil  pressure 


In  pressure-pump 
cylinder  well  through 
which  oil  leaked 


critical 


other  K 


Found  oil  leak  at  B nuts 
inlet  and  outlet  of  oil- 
scavenge  screens;  ra- 
te rqued  B nuts,  checked 
OK,  returned  plane  to 
service 


Loose  B nuts  at  scavenge 
screen 


critical 


other  X 


reports  are  intended  to  aid  in  troubleshooting  on  airplanes  with  espe- 
cially complex  systems,  but  as  the  use  of  built-in  test  equipment  (BITE) 
becomes  more  common,  they  may  become  unnecessary. 

From  time  to  time  it  is  desirable  to  explore  the  age-reliability  rela- 
tionship for  a particular  item  to  determine  whether  a scheduled  rework 
task  is  applicable.  In  this  case  the  premature-removal  data  are  supple- 
mented by  other  data  for  the  several  different  analyses  that  might  be 
made*  Exhibit  11.7  shows  the  history  of  a constant-speed-drive  unit 
on  the  Boeing  727  over  one  calendar  quarter.  Note  that  this  report  iden- 
tifies the  types  of  functional  failures,  as  well  as  the  failure  modes.  Exhibit 
11.8  shows  the  results  of  an  actuarial  analysis  of  this  history,  and  the 
curves  in  Exhibit  11.9  show  a summary  analysis  of  data  over  a period  of 
several  years.  The  constant-speed  drive  shows  no  evidence  of  a wearout 
age,  indicating  that  removal  of  this  item  for  rework  at  some  arbitrary 
operating  age  will  have  little  effect  on  its  reliability. 

‘For  a detailed  discussion  of  the  actuarial  techniques  employed  in  these  analyses,  see 

Appendix  C.  SECTION  11-2  303 
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EXHIBIT  II  ‘7  A history  of  operating  experience  over  one  calendar 
quarter  with  the  constant-speed  drive  on  the  Boeing  727.  The  unit 
TSO  refers  to  operating  age  since  last  shop  visit.  (United  Airlines) 


item  Identification  MR  24118  727  conatant-epeed  drive 


0-4*9 

ii,a*i 

a 

i 

/ 

300-9*9 

0 

1,000-1,499 

'll  <37 

0 

1,900-1,999 

6 ill 

a 

n 

2,000-2,49* 

*34 1 

i 

/ 

2,500-  2,999 

Sits 

i 

/ 

0 

3,000-3,499 

-47*tS 

i 

/ 

3,30t -3,999 

6 

4,0V -4,499 

•**1*1 

1 

0 

/ 

4,  S0( -4,939 

3fcefc 

0 

5,00(r-5,499 

ai»u 

0 

9,000-9,499 

Sift 

A 

/ 

/ 
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Operating  age  atnee  last  overhaul  (flight  Hour*) 


EXHIBIT  II  -8  The  results  of  actuarial  analysis  of  the  operating 
history  shown  in  Exhibit  11.7.  Of  the  total  premature  removals,  some 
units  were  repaired  and  returned  to  service  and  others  required 
sufficient!  extensive  work  to  zero-time  their  operating  ages. 

(United  Anlines) 


At  the  time  the  curves  in  Exhibits  11.8  and  11.9  were  developed  this 
constant-speed  drive  was  subject  to  an  overhaul  age  limit,  although  it 
was  being  rapidly  extended  as  a result  of  actuarial  analysis  and  the 
findings  from  teardown  inspections  of  time-expired  units.  Evidence 
of  deterioration  will  usually  be  found  in  serviceable  units  that  are 
removed  at  some  specified  age  limit,  but  ;t  is  generally  beyond  human 
capability  to  estimate  from  this  early  evidence  the  rate  at  which  the 
deterioration  will  progress.  Consequently  teardown  inspections  of 
time-expired  units  rarely  provide  the  information  in  which  we  are  most 
interested.  The  condition  of  parts  in  failed  units,  however,  provides 
information  on  the  general  deterioration  of  these  units,  as  well  as  on 
the  specific  failure  modes  to  which  they  are  subject.  Moreover,  since 

failed  units  are  avai’able  for  inspection  at  far  more  frequent  intervals  SECTION  11-2  305 
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EXHIBIT  II  •»  The  results  of  actuarial  analysis  of  operating  experience 
over  a five-year  period  for  the  constant-speed  drive  of  the  Boeing 
727.  (United  Airlines) 


than  would  be  necessary  (or  feasible)  for  a rework  age  limit,  this  infer-/' 
mation  accumulates  continuously  without  the  need  to  remove  units 
from  service  at  fixed  intervals.  Exhibit  11.10  shows  how  high-time 
inspection  samples  become  available  forage  exploration  with  and  with- 
out the  imposition  of  a rework  age  limit. 

Of  course,  the  real  criterion  of  applicability  for  scheduled  rework 
is  the  existence  of  a well-defined  wearout. region  in  the  conditional- 
probability  curve.  Thus  unless  enough  failures  have  occurred  to  provide 
the  necessary  data  for  a conditional-probability  curve,  there  is  no  basis 
on  which  a rework  task  can  be  scheduled  — nor  is  there  any  basis  for 
determining  whether  it  would  be  cost-effective  even  if  it  proved  to  be 
applicable. 

Whereas  age  exploration  to  support  scheduled  rework  tasks  relies 
on  statistical  analysis,  the  analyses  directed  at  extension  of  the  initial 
intervals  in  an  RCM  program  are  based  on  the  results  of  the  tasks  them- 
selves. Most  of  the  tasks  in  an  initial  program  are  on-condition  inspec- 
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tions,  and  when  they  are  grouped  into  the  various  letter-check  pack- 
ages, it  is  with  the  expectation  that  the  inspection  findings  on  a small 
number  of  airplanes  (time-extension  samples)  will  support  major  ex- 
tensions of  these  work-package  intervals.  During  the  period  in  which 
intervals  are  being  extended,  engineers  and  analysts  participate  in  the 
inspections  of  the  units  designated  as  time-extension  samples  and 
make  their  own  notes  to  supplement  the  information  that  will  become 
available  from  other  information  systems. 


11*3  MODIFYING  THE  MAINTENANCE 
PROCRAM 

The  nature  of  the  items  in  the  systems,  powerplant,  and  structures 
divisions  leads  to  different  patterns  in  their  maintenance  requirements, 
and  hence  in  the  decision  paths  used  to  arrive  at  an  initial  set  of  sched- 
uled tasks.  For  the  same  reason,  age-exploration  activities  in  each  of 
the  three  major  divisions  tend  to  focus  on  different  sources  of  reliability 
information.  In  some  cases  the  study  of  individual  items  involves  no 
specified  age  limits;  in  other  cases  it  involves  limits  that  are  moved 

EXHIBIT  11*10  The  effect  of  .in  overhaul  limit  on  age  explorat  ion. 
With  a hard-time  limit,  units  that  fail  shortly  before  they  are  due  for 
scheduled  removal  are  overhauled  prematurely.  This  procedure  aero- 
times  many  units,  thus  reducing  the  number  that  survive  to  the  end 
of  the  Interval  and  can  be  used  as  inspection  samples  to  support 
extension  of  the  current  limit.  With  no  fixed  remov.-.I  limit,  the 
economic  reasons  for  premature  overhaul  no  longer  exist,  and 
inspection  of  the  oldest  opportunity  samples  provided  by  failures 
results  in  samples  at  increasing  ages  instead  of  a number  of  samples 
all  of  the  same  age. 


age  exploration  of  systems 
age  exploration  of  powerpl.ints 
age  exploration  of  structures 


freely  and  rapidly  on  the  basis  of  inspection  findings.  The  essential 
factor  ivtvdi  cases  is  not  the  existence  of  an  age  limit,  but  knowing  the 
age  of  each  unit  of  the  item  examined. 

AGE  EXPLORATION  Of  SYSTEMS  ITEMS 

The  systems  division  consists  of  a large  number  of  readily  replaceable 
complex  items  and  their  relatively  simple  fixed  connecting  lines.  Usually 
an  initial  systems  program  includes  few  scheduled-maintenance  tasks 
other  than  servicing  and  failure-finding  inspections,  and  there  are  rarely 
defined  age- exploration  requirements,  as  in  the  powerplant  and  struc- 
ture programs.  The  cost  of  corrective  maintenance  is  fairly  low  for  most 
systems  items,  and  when  operating  data  do  indicate  that  additional  pre- 
ventive tasks  are  justified,  it  is  generally  because  of  an  unexpectedly 
high  failure  rate  that  involves  operational  consequent  In  some  cases 
the  failure  rate  may  be  high  enough  to  warrant  the  replacement  of  cer- 
tain components  with  more  reliable  ones. 

One  aspect  of  operational  consequences  not  discussed  thus  far  is 
passenger  reaction  to  failures  that  would  not  otherwise  affect  the  oper- 
ating capability  of  the  airplane.  A case  in  point  is  the  problem  that 
developed  with  toilets  on  the  Boeing  747.  The  airplane  is  equipped  with 
eleven  lavatories;  hence  the  system  is  protected  by  redundancy.  The 
toilet  units  are  of  the  recirculating  type,  in  which  the  flushing  water  is 
pumped  through  filters,  deodorized,  and  eventually  pumped  back  to 
the  unit  for  reuse.  One  failure  mode  is  a plugged  line  or  flushing  ring, 
so  that  the  toilet  can  no  longer  be  flushed.  When  this  occurs  the  lavatory 
is  closed,  and  the  failure  is  recorded  in  the  flight  log  for  repair  when 
the  airplane  reaches  its  destination.  However,  with  one  or  more  lava- 
tories closed,  a long  line  forms  at  the  operable  units,  and  passengers 
often  find  the  wait  uncomfortable.  Moreover,  one  of  the  failure  effects 
that  was  overlooked  was  the  fact  that  the  deodorizing  action  is  inef- 
fective on  an  inoperable  toilet. 

When  passenger  reaction  indicated  an  extensive  problem,  espe- 
cially during  the  summer,  when  each  trip  has  more  passengers  and 
more  trips  are  full,  the  failure  was  treated  as  one  that  had  serious  opera- 
tional consequences.  In  this  case  an  on-condition  task  was  added  to  the 
program.  A partially  plugged  line  or  ring  is  evidenced  by  incomplete 
flow  from  the  ring.  Thus  it  was  possible  to  check  the  amount  of  the  bowl 
wetted  during  the  flushing  operation  and  treat  units  with  incompletely 
wetted  bowls  as  potential  failures  (see  Exhibit  11.11).  This  task  was 
scheduled,  of  course,  to  coincide  with  inspections  for  other  problems. 

Since  the  reliability  of  systems  items  on  the  whole  tends  to  be  low, 
the  principal  age-exploration  tool  in  the  systems  division  is  actuarial 
analysis  of  failure  data.  Ordinarily  the  conditional  probability  of  failure 
for  a complex  item  is  not  expected  to  vary  much  with  operating  age. 
However,  a newly  designed  system  will  sometimes  show  a dominant 
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plan*  no.  Select  8000  skill  crew  non*  phase  job  no. 

ref.  C 4t  S toilet  fluids  ring  90  E 1204  40  20 

-08-88 

COA  no.  cost  da**  no. 

imp.  accom.  by 

09  Clear  flush-ring  fluid  outlet  in  bowl  of 
residue  an  J check  flushing  action. 

Caution:  Do  not  operate  toilet  flush  pumps  if  waste 
tank  is  empty. 

A With  a long-handled  brush  and  system  flushing 
fluid,  remove  all  residue  from  the  flushing- 
ring fluid  outlets  in  bowl  of  toilets  listed: 
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1 LavUl 
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2 Uv  B 
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3 Lav  C 

B Check  toilet  flushing  action  of  each  toilet 
listed  below,  as  follows: 

1 Push  flush  button  and  allow  completion  of  one 
full  cycle;  wait  30  seconds  (minimum)  before 
starting  test  cycle. 

2 Push  button  for  test  cycle.  The  cycle  should 
start  immediately  and  continue  for  12  plus  or 
minus  3 seconds.  There  must  be  a vigorous 
flushing  action  in  the  bowl  and  the  inside  of 
the  bowl  shall  be  completely  wetted.  Make  a 
writeup  to  correct  inadequate  flush  action. 

1 I AUvUl 

1 I B Lav  B 

1 I CUvC 


EXHIBIT  1 1 • 1 1 The  job  instruction  card  for  a task  added  to  the 
Boeing  747  maintenance  program  to  prevent  operational  consequences. 
(United  Airlines) 

' ' I 

failure  mode  that  is  both  age-related  and  expensive  enough  to  make  an 
age-limit  task  desirable.  Exhibit  11.12  shows  a conditional-probability 
curve  derived  from  operating  experience  with  the  engine-driven  gen- 
erator of  the  Boeing  727.  There  is  little  change  in  the  failure  rate  until 
about  2,000  hours,  when  the  bearing  starts  to  fail;  thereafter  the  condi- 
tional probability  of  failure  increases  with  age  as  this  failure  mode 
becomes  more  dominant.  The  survival  curve  in  Exhibit  11.12  shows  the 
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tXHIMT  11*12  The  results  of  Jctuuriu)  analysis  of  operating 
experience  with  the  engine-driven  generator  of  the  Boeing  727.  The 
data  repiesenl  a total  of  1,310,269  unit  hours  from  January  t,  1970  to 
January  31,  1971.  (United  Airlines) 
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Bearing  failures  cause  such  extensive  damage  to  a generator  that 
tl'“  entire  generator  must  be  scrapped  and  replaced  with  a new  one, 
at  a cost  of  about  $2,500,  The  bearing  itself  costs  only  $50.  In  this  case  a 
cost  analysis  showed  that  it  would  be  desirable  to  assign  an  economic- 
life  discard  task  to  the  bearing  at  an  interval  of  4,000  hours.  Such  a task 
could  also  be  viewed  as  a scheduled  rework  task  for  the  generator,  with 
the  rework  specification  including  discard  and  replacement  of  the 
bearing. 

The  generator  and  bus-tie  relay  on  the  Douglas  DC-8  was  assigned 
a scheduled  rework  task  for  a different  reason.  The  relay  is  a complex 
mechanical  item  in  the  first  type  of  aircraft  to  have  three-phase  400-cycle 
ac  power  system s.  Its  basic  functions  are  to  convey  the  power  from  each 
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generator  to  its  own  load  bus  and  to  convey  ground  power  to  the  indi- 
vidual load  buses.  A failure  of  either  of  these  functions  will  be  reported 
by  the  operating  crew  and  will  result  in  removal  of  the  faulty  relay  for 
repair,  The  relay  also  has  a number  of  secondary  functions,  some  of 
which  are  hidden.  However,  the  maintenance  program  for  this  aircraft 
predated  the  use  of  RCM  techniques,  and  at  that  time  no  recognition 
was  given  to  hidden  functions. 

When  older  units  began  coming  inic  che  shop  for  repair,  many  of 
the  hidden  functions  were  found  to  be  in  a failed  state;  in  addition,  many 
of  the  parts  were  so  worn  that  the  units  could  no  longer  be  repaired.  On 
this  basis  the  relay  was  assigned  a rework  tssl.—  scheduled  removal  at  a 
maximum  age  limit  of  14,000  hours  for  shop  disassembly  to  the  extent 
necessary  for  repair.  This  task  was  intended  primarily  to  protect  the 
important  hidden  functions,  but  the  saving  in  repairable  units  in  this 
case  more  than  offset  the  expense  of  scheduled  removals. 

Although  unanticipated  failures  in  the  systems  division  rarely  in- 
volve safety,  some  failures  do  have  serious  enough  consequences  to  be 
treated  as  if  they  were  critical.  One  such  case  was  a failure  of  the  landing- 
gear  actuator  endcap  on  the  Douglas  DC-10,  discussed  in  Section  7.3. 

The  endcap  was  designed  to  have  a fatigue  life  longer  than  the  expected 
service  life  of  the  airplane,  and  since  corrosion  was  not  expected  to  be 
a problem  with  this  item,  the  only  task  assigned  in  the  initial  program 
was  an  on-condition  inspection  of  the  cap  whenever  the  actuator  was  in 
the  shop  for  repair.  A check  for  internal  hydraulic  leaks  had  also  been 
discussed,  but  it  was  considered  unnecessary  for  this  type  of  actuator. 

Unfortunately  this  actuator  is  not  removed  as  part  of  the  landing  gear, 
and  it  has  a very'  low  failure  rate.  Consequently  no  opportunity  inspec- 
tions had  been  performed. 

The  endcap  actually  experienced  two  failures  in  the  industry,  each 
with  different  airlines.  These  failures  originated  in  the  exposed  internal 
portion  of  the  endcap,  where  an  O-ring  is  used  to  seal  in  the  hydraulic 
fluid.  The  original  design  and  assembly  techniques  had  allowed  mois- 
ture to  accumulate  between  the  cap  and  body  of  the  actuator  on  the  air 
side  of  the  O-ring,  causing  pitting  corrosion.  When  the  endcap  separates 
from  the  actuator,  all  the  hydraulic  fluid  is  lost  from  the  number  3 
hydraulic  system,  and  the  landing  ge.'<  cannot  be  retracted.  If  this  failure 
occurred  during  flight,  the  gear  in  the  failed  position  would  rest  on  the 
doors,  and  when  the  pilot  extended  the  landing  gear,  all  three  gears 
would  simply  free-fall  to  the  down  and  locked  position.  However,  if  the 
gear  doors  were  also  to  fail,  the  failed  gear  would  free-fall  through  the 
opening,  and  in  the  extreme  case  at  high  speed,  the  door  could  separate 
and  fall  to  the  ground.  This  multiple  failure  would  be  considered  critical. 

While  neither  of  the  two  endcap  failures  in  themselves  were  classi- 
fied as  critical,  the  action  taken  was  similar  to  that  for  an  unanticipated  SECTION  u -3  311 
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critical  failure.  First,  a safe-life  limit  was  established  for  the  endcap  and 
a modified  part  with  greater  fatigue  life  was  designed.  This  modified 
cap  is  being  installed  at  or  before  the  existing  caps  reach  the  present 
life  limit.  Second,  all  actuators  are  being  removed  and  sent  to  the  shop 
for  upgrading  as  fast  as  they  can  be  handled.  Each  actuator  is  dis- 
assembled, the  endcap  is  replaced  with  the  new  part,  corrosion  on  other 
parts  of  the  actuator  is  removed,  and  improved  corrosion-protection 
materials  are  applied  on  reassembly.  This  procedure  consists  of  applying 
fluid-resistant  primer  to  the  threads  of  both  the  endcap  and  the  barrel, 
renewing  the  cadmium  plating  and  painting,  assembling  the  actuator 
with  grease  on  all  threads,  and  applying  corrosion- inhibiting  sealant 
on  the  last  thread  at  all  threaded  joints.  When  all  the  shorter-life  parts 
are  removed  from  service  and  all  the  actuators  have  been  assembled 
with  this  new  procedure,  it  is  expected  that  the  problem  will  be  resolved. 

Failure  data  are  also  the  basis  for  adjusting  task  intervals  for  hidden 
functions  in  systems  items.  Many  of  the  failure- finding  tasks  are  based 
on  opportunity  samples,  tests  or  inspections  of  hidden  functions  on 
units  sent  to  the  shop  for  other  repairs.  The  results  of  these  inspections 
are  recorded  and  analyzed  to  find  the  inspection  interval  that  will  pro- 
vide the  required  level  of  availability  at  the  lowest  inspection  cost. 
The  units  tested  in  the  shop  are  considered  to  be  a random  sampling  of 
the  units  in  the  operating  fleet.  Thus  the  percentage  of  failures  found 
in  the  shop  tests  can  be  taken  as  the  percentage  of  failures  that  would  be 
found  throughout  the  fleet.  Failure-finding  inspections  of  items  in- 
stalled on  the  airplane  are  performed  at  scheduled  intervals.  In  this  case 
the  percentage  of  failures  found  will  represent  approximately  twice 
the  percentage  expected  in  the  entire  fleet,  because  the  inspection 
occurs  at  the  end  of  the  assigned  interval,  rather  than  at  random  times 
since  the  preceding  inspection. 

ACL  EXPLORATION  OF  POWERPLANT  ITEMS 

Age  exploration  is  an  integral  part  of  any  initial  powerplant  program. 
A completely  new  type  of  engine,  often  incorporating  new  technology, 
is  usually  quite  unreliable  when  it  first  enters  service.  During  the  first 
few  years  of  operation  premature-removal  rates  are  commonly  as  high 
as  2 per  1,000  engine  hours.  This  high  removal  rate  makes  it  possible 
for  the  engine  repair  shop  to  obtain  information  not  only  on  the  parts 
involved  in  the  failure,  but  on  the  condition  of  other  parts  of  the  engine 
as  well. 

Most  new  aircraft  engines  experience  unanticipated  failures,  some 
of  which  are  serious,  The  first  occurrence  of  any  serious  engine  failure 
immediately  sets  in  motion  the  developmental  cycle  described  in  Sec- 
tion 5.2.  The  cause  of  the  failure  is  identified,  and  an  on-condition  task 
is  devised  to  control  functional  failures  until  the  problem  can  be  resolved 
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EXHIBIT  It '13  History  of  the  C-sump  problem  in  the  General  Electric 
CF6-6  engine  on  the  Douglas  DC-10.  The  on-condition  task  instituted 
to  control  this  problem  had  to  be  reduced  to  30-cycle  intervals  in  order 
to  prevent  all  functional  failures.  The  precise  cause  of  this  failure 
was  never  pinpointed;  however,  both  the  inspection  task  and  the 
redesigned  part  covered  both  possibilities.  Once  modification 
of  all  in-service  engines  was  complete  no  further  potential 
failures  were  found,  and  the  inspection  requirement  was 
eventually  eliminated. 


at  the  design  level.  Modified  parts  are  then  incorporated  in  the  oper- 
ating fleet,  and  when  continued  inspections  have  shown  that  the  mod- 
ification is  successful,  the  special  task  requirements  are  terminated. 

The  General  Electric  CF-6  engine  on  the  Douglas  DC-10  experienced 
several  such  unanticipated  failures  during  early  operation.  The  low- 
pressure  turbine  sections  separated  from  the  engine,  and  these  separ- 
ated rear  sections  fell  off  the  airplane.  Investigation  determined  that 
these  failures  were  probably  a result  of  oil  fires  in  the  engine  case, 
caused  by  seepage  due  to  a pressure  imbalance  in  the  oil  scavenging 
system.  However,  there  was  also  a possibility  that  there  had  been  a 
structural  failure  of  the  C sump,  which  supports  two  of  the  bearings. 
Thus  on-condition  borescope  inspections  of  the  C sump  were  sched- 
uled to  search  for  either  cracks  in  the  C sump  or  oil  on  its  external 
surface.  The  initial  interval  for  this  inspection  was  125  flight  cycles, 
but  the  interval  was  lowered  to  30  cycles  after  another  functional  fail- 
ure occurred  (see  Exhibit  11.13).  Inspections  were  continued  at  this 
short  interval  until  the  engines  were  modified. 
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EXHIBIT  II  ‘14  A portion  of  the  opportunity -sampling  program 
for  age  \ploration  of  the  Pratt  & Whitney  JT8D-7  engine. 
(United  Airlines) 


section  and  part  name 


inspection  iimit 


COLD  SECTION 

No.  2 bearing  assembly 

Fngine  Manual.  72-09-50  — — 

Intermediate  case  (Cadillac? 

Engine  Manual,  72-34-1.  

Intermediate  case  (non-Cadillac) 

Engine  Manual,  72-34-1  

13th-stage  bleed  MFD 

Engine  Manual,  72-72-0  

Heavy  maintenance,  72-72-0  Available 

8th-stage  bleed  MFD 

Engine  Manual,  72-/2-0  

Heavy  maintenance,  72’  72-0  Available 

No.  4 '/a  carbon  seal, 

#728981-600  assemblies  only 

Engine  Manual,  72-09-13 

Engine  Manual,  72-09-10  

Engine  Manual,  72-09-20 

Heavy  maintenance,  72-53  Available 

No.  4 ‘/a  carbon  seal,  other 
part  no.  assemblies 

Engine  Manual,  72-09-13 

Engine  Manual,  72-09-10  9,500 

Engine  Manual,  72-09-20 

Heavy  maintenance,  72-53  Available 

No.  6 carbon  seal 

Engine  Manual,  72-09-13 

Engine  Manual,  72-09-10  8,600 

Engine  Manual,  72-09-20 

Heavy  maintenance,  72-53  Available 

Accessory  bearings,  front 
accessory  drive 

Engine  Manual,  72-09-50  — — 

Accessory  bearings,  gearbox- 
drive  toweishart 

Engine  Manual,  72-09-50  - — — 


inspection  thr  -hold 

21/100-24,000 

19,500—21,000 

17.000- 19,000 

16.000- 18,000 

14,000-16,000 

9,500-12,500 


9,000-12,000 

8,500-11,500 
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Over  the  course  of  six  or  seven  years,  as  failure  information  is 
used  to  improve  the  engine,  the  total  premature-removal  rate  (for  both 
potential  and  functional  failures)  usually  drops  to  0.3  or  less  per  1,000 
engine  hours.  There  are  many  noncritical  parts  in  the  engine  which 
are  quite  reliable,  however,  and  which  may  not  fail  at  all  until  much 
higher  operating  ages.  The  question  is  whether  a rework  or  discard 
age  limit  will  prevent  these  failures  from  occurring.  Until  some  unsatis- 
factory condition  appears,  there  is  no  information  from  which  to  deter- 
mine an  age-reliability  relationship.  In  this  case  all  we  can  do  is 
inspect  unfailed  parts  at  successive  ages  until  some  signs  of  deteriora- 
tion appear.  While  such  inspections  do  not  always  have  on-condition 
capability,  they  are  the  only  source  of  information  on  parts  that  are 
performing  satisfactorily. 

As  opportunity  samples  provide  documented  information  on  parts 
at  increasingly  higher  ages,  the  maintenance  organization  gradually 
compiles  a list  of  significant  parts,  their  failure  modes  if  they  have 
failed,  and  the  age  at  which  full  inspection  should  be  started  for  each 
item.  This  list  identifies  the  part,  refers  to  the  section  of  fhe  mainte- 
nance manual  in  which  the  task  itself  is  defined,  and  states  the  thresh- 
old age  limits  at  which  the  task  is  to  be  performed.  The  schedule  shown 
in  Exhibit  11.14  uses  two  threshold  limits  for  each  engine  item.  Any 
part  th  at  falls  within  these  age  limits  is  treated  as  an  opportunity  sam- 
ple if  it  becomes  available  for  inspection  while  an  engine  is  being 
disassembled  for  repair.  If  any  engine  has  a part  that  has  aged  beyond 
the  upper  limit,  that  part  must  be  inspected  even  if  further  disassembly 
is  required  for  this  purpose  alone.  In  either  case,  the  inspection  sample 
is  measured  against  appropriate  standards,  and  its  condition  is  docu- 
mented on  a special  sampling  form. 

The  sampling  requirements  usually  specify  that  the  threshold 
limits  for  each  item  may  be  increased  after  two  inspection  samples  have 
been  examined  and  found  to  be  in  satisfactory  condition,  although 
engineers  will  often  want  to  inspect  far  more  than  two  samples  before 
authorizing  tension  of  the  limits.  To  ensure  that  most  of  the  samples 
will  be  opp~  rtu.aty  samples,  the  two  threshold  limits  are  set  as  much  as 
3,000  hour,  c.n:  -t  while  th'-  inspection  intervals  are  still  being  extended. 
Conseq  a w.-.en  a aximum  interval  is  identified,  this  "oppor- 
tunity -!\'.r  will  already  have  removed  a great  many  units  before  they 
reached  ...  upper  limit,  leaving  very  few  age-limited  units  in  the 
fleet.  This  type  of  age-exploration  program  has  been  quite  successful 
in  extending  limits  without  the  need  for  engine  removals  solely  to 
inspect  parts. 

If  the  item  is  one  that  has  experienced  functional  failures,  and  an 
actuarial  analysis  has  established  that  a rework  or  discard  task  will 
improve  its  reliability,  the  task  is  added  to  the  program  and  the  item  is 
removed  from  the  sampling  schedule.  In  the  event  of  a serious  unan- 
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ticipated  failure  of  a high-time  part,  the  age  status  of  that  item  will  Le 
reviewed  in  the  entire  fleet,  and  the  engines  with  high-tim'-  parts  will 
be  inspected  on  the  wing  if  this  is  possible  wise  such  engines 
will  be  removed  anH  «>p  tor  disassembly.  • 

as  a result  of  the  continual  process  of  repair  and  replacement  of 
failed  parts  and  the  incorporation  of  design  modifications,  the  parts 
of  any  engine  that  has  been  in  service  for  some  time  will  be  of  widely 
disparate  ages.  The  overall  age  identified  with  an  engine  is  the  age  of 
its  nameplate.  The  nameplate  is  useful  in  referring  to  individual  en- 
gines, but  any  engine  in  an  operating  fleet  may  consist  of  parts  older 
or  younger  than  its  nameplate.  For  this  reason  it  is  necessary  to  keep 
track  not  just  of  the  age  of  each  engine,  but  of  the  ages  of  all  the  parts 
from  which  it  is  assembled. 

AGE  EXPLORATION  OF  STRUCTURAL  ITEMS 

Whereas  systems  and  powerplant  items  are  designed  to  be  interchange- 
able, there  is  no  simple  way  of  replacing  most  structural  elements. 
Repairs  and  even  detailed  inspection  of  internal  parts  of  the  structure 
involve  taking  the  entire  airplane  out  of  service,  sometimes  for  an 
extended  period.  For  this  reason  structural  items  are  designed  to  sur- 
vive to  much  higher  ages  than  systems  or  powerplant  components. 
Nevertheless,  initial  intervals  in  the  structural  inspection  plan  are  only 


EXHIBIT  || -15  A record  of  structural-inspection  findings  and 
corrective  maintenance  as  reported  during  a i.ambei  2 A check. 
Omitted  details  include  labor  time,  signoffs  by  the  mechanic  and 
the  inspector,  and  reference  file  numbers.  (United  Airlines) 
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a fraction  of  this  design  life  goal,  both  because  of  the  consequences  of 
a structural  failure  and  because  of  the  factors  that  can  affect  the  design 
fatigue  life  in  individual  airplanes.  These  include  variations  in  the 
manufacturing  process,  overloads  encountered  by  individual  airplanes, 
loading  spectra  that  differ  from  the  standards  employed  by  the  designer, 
environmental  conditions  causing  corrosion,  and  accidental  damage 
from  foreign  objects. 

In  the  structure  division  the  inspection  program  itself  is  the  vehicle 
for  age  exploration.  Thus  the  initial  intervals  are  intended  not  only  to 
find  and  correct  any  deterioration  that  may  have  occurred,  but  also  to 
identify  the  age  at  which  deterioration  first  becomes  evident  for  each 
structural  item.  Exhibit  11.15  shows  the  form  in  which  the  findings  of 
an  A-check  task  are  recorded,  along  with  a record  of  any  corrective 
action  taken.  The  inspection  findings  and  work  performed  at  line  sta- 
tions are  usually  monitored  by  engineers,  who  log  all  the  relevant  find- 
ings on  those  airplanes  designated  as  inspection  samples  in  the  form 
shown  in  Exhibit  11.16.  With  this  information  there  is  a good  basis  in 
the  ongoing  program  for  revising  the  age  at  which  inspections  of  struc- 
turally significant  items  should  begin  in  later-delivery  airplanes. 

In  general  the  interval  to  the  first  inspection  in  the  initial  program 
is  the  same  as  the  interval  for  repeat  inspections,  and  successive  inspec- 
tions are  performed  on  each  airplane  as  it  ages  to  identify  the  age 
at  which  deterioration  first  becomes  evident.  This  procedure  provides 
adequate  information  if  the  interval  is  short  in  relation  to  the  fatigue- 
life  design  goal.  Inspection  of  an  item  at  intervals  of  5,000  hours,  for 
example,  will  result  in  documentation  of  its  condition  at  total  ages  of 
5,000  hours,  10,000  hours,  15,000  hours,  and  so  on.  However,  if  an  item 
is  assigned  an  initial  interval  of  20,000  hours,  subsequent  inspections  at 
total  ages  of  40,000  and  60,000  hours  would  leave  great  gaps  in  the  flow 
of  age-condition  information.  It  is  therefore  necessary  to  schedule 
inspections  of  several  airplanes  at  intermediate  ages  to  ensure  that  the 
age  at  which  any  deterioration  begins  can  be  identified  within  a close 
enough  range  for  the  information  to  be  useful.  The  items  that  are 
assigned  such  long  intervals,  of  course,  are  those  which  not  only  have 
very  little  effect  on  residual  strength,  but  also  have  a very  low  suscep- 
tibility to  corrosion  and  other  damage. 

Because  it  takes  several  years  for  a fleet  of  airplanes  to  build  up,  it 
is  always  hoped  that  the  conservative  start-of-inspection  intervals  in 
the  initial  program  will  apply  only  to  the  first  few  airplane?  to  reach 
these  ages,  and  that  inspection  findings  will  support  an  increase  in  the 
ages  at  which  the  first  inspections  are  performed  on  subsequent  air- 
planes entering  the  fleet.  This  increase  is  usually  accomplished  by 
"forgiving"  the  first  few  inspections  in  the  sequence,  rather  than  by 
changing  the  interval.  The  information  obtained  from  the  inspections 


SECTION  II -3  317 


ON-AlRCItAFT  INSPECTION  FINDINGS 

1 On  9/2/71  at  289  hours 

Indications  of  material  flowing  out  of  center  waste  pump  in  aft 
waste  tank 

103  rivets  popped  or  loose,  RH  side  ot  att  pylon  fin;  96  rivets  loose, 
LH  side  of  aft  pylon  fin 

2 On  9/28/71  at  571  hours 

No  significant  defects  recorded 

3 On  11/3/71  at  881  hours 

No  significant  defects  recorded 

4 On  12/12/71  at  1,166  hours 

No  significant  defects  recorded 

5 On  1/24/72  at  1,475  hours 

A couple  of  writeups  that  could  indicate  a chronic  condition. 
Numerous  loose  rivets  on  left  4c  right  wing  tips;  also  loose  rivets 
on  no.  2 engine  top  aft  fairing. 

6 On  3/21/72  at  1,835  hours 

Repair  fuselage  damage  under  captain's  window,  left  side  of 
fuselage;  scrape  4 ft  long.  Removed  rivets,  bumpe  1 out  skin  to 
contour,  installed  2024T3  tapered  shims  between  skin  4c  frame, 
reinstalled  rivets.  To  be  inspected,  sta  330  frame,  in  approx.  3,000  hr. 

Lower  LH  leading-edge  skin  cracked.  Installed  patches,  replaced 
door. 

I ceding -edge  doors  found  loose  even  though  they  had  previously 
been  taped;  one  door  had  broken  through  tape,  was  hanging  down 
approx.  3/4  in. 

Aft,  center,  & fwd  cargo  dcor  hinges  rusted.  Cleaned  and  sprayed 
with  oil. 


EXHIBIT  II  <16  An  example  of  the  inspections  findings  recorded 
l.ir  a designated  inspection  sample  ol  the  Douglas  DC-Ill  airplane. 

(United  Airlines) 

is  supplemented  by  data  from  the  manufacturer's  continuing  fatigue 
tests,  as  well  as  by  inspection  information  from  other  operating  organ- 
izations. Once  the  first  evidence  of  deterioration  does  appear,  this  new 
information  may  indicate  that  adjustment  of  the  repeat  interval  itself 
would  be  desirable.  When  early  deterioration  appears  in  a structural 
' item,  low  start-of-inspection  and  repeat  intervals  must  be  defined  and 

maintained  until  design  changes  have  been  incorporated  that  avoid  the 
318  applications  need  for  such  early  and  frequent  inspections. 


..  .vWHfx  *»»  i 


~ 


Evidence  of  working  rivet*  above  LH  overwing  entry  door  at  splicea, 
sta  1256  & 1309  and  longeron  15.  No  action  taken. 

7 On  5/8/72  at  2,196  hour* 

SO  rivets  looae  & popped  at  vert,  stabilizer  fin  above  aft  engine  hot 
section.  Replaced  rivets. 

No.  6 axle  sleeve  has  migrated  and  rotated.  Shop  repaired. 

Bracket  cracked  on  no.  1 pylon  cap  area.  Replaced  bracket. 

Right  inboard  spoiler  upper  akin  cracked.  Replaced  spoiler. 

Typical  and  chronic  loose  leading-edge  plates,  poppe ..  rivets  on 
wing-tip  structure. ... 

8 On  6/16/72  at  2,533  hours 

Possible  corrosion  source:  drain  in  service  center  leaks  to  FFR.  Blew 
out  all  drain  lines,  unable  to  find  trace  of  leak. 

Chronic -right  & left  wing  leading-edge  plates  cracked,  latches 
loose,  etc. 

Firewall  cracked,  no.  2 engine,  PT7  bulkhead  fitting  loose  and  bolt 
missing  just  aft  of  aft  engine  mount.  Stop- drilled  cracks,  installed 
doubler  under  bulkhead  fitting. 

9 On  8/7/72  at  2,968  hours 

Rib  flanges  cracked  and  rivets  sheared  at  fwd  end  of  tail  fin  above 
aft  end  of  no.  2 engine.  2d,  3d,  4th,  6t  5th  from  tap  on  left  side  and 
5th,  6th,  & 7th  on  right  side,  interior.  OK  to  continue  to  special 
route  for  COA. 

Lower  leading-edge  plate  cracked,  loose,  etc.  (typical). 

Lower  leading-edge  skin  area  just  fwd  of  center  accessory  compart- 
ment has  water.  Sucked  out  water  (recorded  as  possible  corrosion 
source). 

LH  no.  2 lead-edge  slat  retract  cable  frayed  beyond  limits  (center 
track  at  wing  leading  edge).  Replaced  cable.  Caused  by  contact. . . . 


In  short,  the  initial  structural  inspection  program  defines  the  start- 
ing points  for  an  age-exploration  program  that  will  continue  throughout 
the  operating  life  of  the  airplane.  At  first  all  significant  items  are 
inspected  on  all  airplanes,  and  as  information  is  obtained,  the  starting 
intervals  assigned  in  the  prior-to-service  program  are  lengthened,  if 
possible,  to  reduce  the  inspection  workload  on  the  later-delivery  air- 
planes. The  major  structural  inspections,  or  D checks,  usually  entail 
inspection  of  all  significant  items  and  most  nonsignificant  ones,  and 
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this  may  be  the  only  work  package  that  requires  inspection  of  class  4 
significant  items. 

The  first  D checks  are  performed  on  the  highest  total-time  airplanes 
of  the  fleet  — the  fleet  leaders,  which  are  the  first  airplanes  to  reach  the 
end  of  the  starting  interval.  While  the  starting  interval  for  this  work 
package  is  being  extended,  the  number  of  major  structural  inspections 
in  any  one  fleet  is  relatively  small.  Once  a maximum  limit  is  reached, 
however,  the  volume  of  major  inspections  increases  markedly  as  indi- 
vidual airplanes  age  to  this  fixed  limit.  At  this  point  it  becomes  neces- 
sary to  examine  possibilities  for  reducing  maintenance  costs  wlvch  do 
not  involve  interval  extension.  It  is  common  in  the  airline  industry  to 
divide  the  ongoing  inspection  program  into  two  parts— a 100  percent 
program,  which  consists  of  those  tasks  to  be  performed  on  every  air- 
plane, and  a sampling  program,  consisting  of  tasks  ;o  be  performed  only 
on  a specified  portion  of  the  fleet. 

The  two  parts  of  the  ongoing  inspection  program  take  into  account 
the  wide  range  in  the  importance  of  individual  structurally  significant 
items  which  is  exemplified  by  the  rating  process.  Class  1 and  class  2 
items  are  identified  by  a joint  consideration  of  the  effect  of  their  failure 
on  residual  strength  and  their  susceptibility  to  deterioration.  If  either  of 
these  factors  is  large,  that  item  must  remain  in  the  100  percent  program 
to  minimize  the  likelihood  of  a functional  failure.  The  100  percent  pro- 
gram thus  ensures  the  integrity  of  those  structural  elements  which  are 
essential  to  the  safety  of  the  airplane. 

The  concept  of  damage-tolerant  design  depends  on  the  existence  of 
this  100  percent  inspection  plan  to  reveal  any  failed  structural  member 
before  the  failure  of  a second  member  can  cause  an  unacceptable  reduc- 
tion in  residual  strength.  In  practice  the  inspection  mtervals  for  such 
elements  are  intended  to  detect  cracks  and  corrosion  at  a sufficiently 
early  stage  to  prevent  the  first  member  fi  >m  failing.  This  early  detection 
of  damage  also  lowers  the  cost  of  repairs;  however,  we  do  not  differen- 
tiate between  structura'  integrity  and  economic  considerations  in  the 
100  percent  program. 

In  contrast,  the  failure  of  a class  3 or  class  4 item,  by  definition,  has 
only  a small  effect  on  residual  strength,  and  such  items  also  have  little 
susceptibility  to  deterioration.  Consequently  we  can  permit  econo:"  ic 
considerations  to  play  a large  role  in  their  scheduled-maintenance 
requirements.  Detection  of  deterioration  in  its  early  stages  will  reduce 
the  cos*  of  repairs,  but  this  saving  must  be  balanced  against  the  cost  of 
the  inspections  necessary  to  find  the  first  evidence  of  deterioration  in 
every  airplane.  A sampling  plan  is  therefore  used  to  determine  the  age 
characteristics  of  the  fleet,  with  full  knowledge  that  individual  unin- 
spected airplanes  may  require  expensive  repairs  by  the  time  the  sample 
inspections  identify  a problem  area.  Since  the  issue  in  this  case  is  not 
320  APPLICATIONS  structural  integrity,  but  the  relative  cost  of  repairs,  the  risk  of  occasional 


high  repair  costs  is  acceptable  if  the  result  is  a marked  reduction  in 
inspection  costs.  This  exposure  would  not  be  acceptable,  of  course,  for 
class  1 and  class  2 items,  where  a failure  would  have  a marked  effect  on 
residual  strength. 

A relatively  small  number  of  sample  inspections  may  be  adequate 
for  economic  purposes.  For  example,  suppose  an  item  has  a relatively 
shoq  average  fatigue  life  of  60,000  hours.  In  a sample  of  10  airplanes  all 
of  same  total  age,  the  probability  of  discovering  this  defect  by  50,000 
hou  is  .63,  and  the  same  defect  would  be  expected  to  appear  at  this 
ige  in  10  percent  of  the  uninspected  airplanes,*  In  practice,  however, 
the  sample  inspections  are  performed  on  highest-age  airplanes,  and 
when  the  defect  is  discovered,  its  incidence  in  the  lower-age  airplanes- 
in  the  rest  of  the  fleet  will  be  much  less  than  10  percent.  In  bygone 
years,  when  a large  number  of  airplanes  were  to  be  inspected  at  a fixed 
major- inspection  interval  it  was  common  practice  to  inspect  items  of 
relatively  low  significance  on  a fraction  of  the  fleet— say,  every  fifth 
airplane  — and  this  practice  was  referred  to  as  fractional  sampling. 

Once  the  sampling  inspections  have  identified  the  age  at  which  an 
item  begins  to  show  signs  of  deterioration,  some  action  must  be  taken. 

Inis  may  be  an  increase  in  the  number  of  aircraft  sampled,  perhaps  to 
100  percent,  or  it  may  be  treatment  o modification  of  the  affected  area' 
to  forestall  deterioration  in  other  airplanes.  For  example,  doublers  may 
be  installed  on  all  airplanes,  or  protective  coatings  may  be  applied  to 
prevent  corrosion.  As  the  fleet  ages,  more  and  more  of  the  sampling 
inspections  will  revert  to  100  percent  inspections  unless  such  basic 
preventive  measures  are  taken. 

As  the  operating  fleet  of  a specific  type  of  airplane  ages  in  service, 
from  time  to  time  it  is  necessary  to  conduct  a thorough  review  of  the 
structural  maintenance  program  in  1 ight  of  the  information  obtained 
from  operating  experience  and  later  manufacturer's  tests.  In  1976  Doug- 
las \ircraft  conducted  such  a review  for  the  DC-8,  and  special  inspec- 
tions for  27  items  wore  added  to  the  program  for  airplanes  with  ages 
greater  than  r>0,000  hours.  Similar  reviews  of  its  structural  designs  are 
being  conducted  by  Boeing  The  British  Civil  Aviation  Authority  now 
requires  a Structural  Integrity  Audit  and  Inspection  Documents 

5 structural  Integrity  Audit  and  Inspection  Document 

5.1  The  Constructor's  Role  For  each  aeroplane  type  to  which  this 
Notice  is  applicable  the  necessary  work  is  that  the  constructor 
should  carry  out  a 'structural  integrity  audit'  in  which  each 

*M.  E.  Stone  and  H.  F.  Heap.  Developing  the  DC-10  Structural  Inspection  Program,  Seventh 
Annual  FAA  International  Maintenance  Symposium, Oklahoma  City.Okla..  December  7-9, 

1471, 

tContinuing  Structural  Integrity  of  Transport  Aeroplanes,  Civil  Aviation  Authority,  Air- 
worthiness Notice  84,  August  23,  1°78.  SECTION  11-3 


area  of  the  structure  for  which  fail-safe  characteristics  are 
critical  is  considered,  and  the  acceptable  extent,  rate  of 
growth,  and  detectability  of  damage  is  assessed,  together 
with  the  probability  of  damage  being  present  in  associated 
areas.  Based  on  this  Audit,  an  Inspection  Document  should 
be  drawn  up  and  made  available  to  operators. 

5.1.1  The  Inspection  Document  should  include: 

(a)  A statement  of  (or  reference  to)  all  the  inspections  And 
replacements,  repairs  oi  modifications)  confide'  i by  the 
constructor  to  be  necessary  to  ensure  that  a sr  e level  of 
'tructural  strength  will  be  maintained. 

(b)  For  each  location,  the  thresholds  (time/flights,  to  first 
inspection)  frequencies  and  type  and  method  of  inspections 
required  and  the  extent  of  damage  which  it  is  aimed  to  be 
able  to  fjnd. 

(c)  Reference  to  the  types  of  operations  for  which  it  is  con- 
sidered valid.  Note:  Its  validity  may,  of  course,  be  varied  by 
reissue  from  time  to  time. 

5.1.2  The  Inspection  Document  v\  ould  have  to  be  prepared  on  the 
basis  of  a Structural  Integrity  Audit  (or  other  process  provid- 
ing similar  results)  generally  acceptable  to  the  Authority, 
but  would  not  require  approval  in  detail.  Guidance  on  the 
method  of  carrying  out  a Structural  Integrity  Audit  and  as  to 
what  should  be  included  in  the  Inspection  Document  is 
given  in  CAA  Information  Leaflet,  Continuing  Integrity  of 
Transport  Aeroplanes. 

While  the  manufacturer  is  formally  responsible  for  conducting  these 
structural  reviews,  their  value  depends  on  adequate  information  from 
operating  organizations. 

Quite  apart  from  problems  associated  with  higher  ages,  there  is 
always  the  possibility  of  an  unanticipated  failure  of  a structural  item  at 
more  modest  ages,  just  as  there  is  for  systems  and  powerplant  items. 
One  such  example  was  the  cracking  of  the  Boeing  747  floor  beams  as  a 
result  of  cyclic  loading  from  cabin  pressurization.  This  problem  was 
first  discovered  when  increased  floor  flexibility  and  loose  seats  were 
reported  in  an  airplane  that  had  accumulated  approximately  8,400 
pressurization  cycles.  The  discovery  led  to  a Boeing  service  bulletin, 
followed  within  a week  by  a U.S.  Department  of  Transportation  air- 
worthiness directive,  detailing  an  on-condition  inspection  program  for 
the  floor  beams  and  specifying  a modification  of  the  structure  to 
eliminate  the  problem.*  The  airworthiness  directive  required  that  all 

*Boeing  Service  Bulletin  747-53-2176,  February  10,  1978,  and  U.S.  Department  of  Trans- 
portation Airworthiness  Directive  78-04-04,  February  16,  1978. 


airplanes  with  more  than  6,000  landings  be  inspected  within  the  next 
100  landings  and  that  the  inspections  be  repeated  within  the  next  1,200 
landings  if  no  cracks  were  found.  If  not  more  than  one  beam  was  found 
to  be  cracked,  and  if  the  crack  in  the  beam  v/eb  was  less  than  3 inches 
long,  the  crack  would  be  stop-drilled  and  inspected  for  evidence  of 
further  progression  within  the  next  50  landings,  subject  to  the  provision 
that  the  crack  be  permanently  repaired  within  1,230  landings.  If  a crack 
more  than  3 inches  long  was  found,  repair  was  required  before  further 
flight. 

Note  that  this  directive  embodies  the  concept  of  a long  initial  inter- 
val followed  by  short  repeat  intervals.  In  this  case  both  of  the  inter- 
vals are  firmly  established  by  information  derived  from  actual  operating 
experience.  The  continuing  age  exploration  of  damage-tolerant  struc- 
ture will  lead  to  the  same  results.  Once  the  age  at  which  fatigue  damage 
becomes  evident  has  been  identified  for  each  item,  there  will  either 
be  short  inspection  intervals  starting  at  this  age  or  else  a design  modi- 
fication that  extends  the  fatigue  life  of  the  item  and  makes  the  inspec- 
tion task  unnecessary. 

The  decision  to  modify  an  airplane  structure  depends  on  its  re- 
maining technologically  useful  life.  When  the  airplane  is  likely  to  be 
outdated  soon  by  new  designs,  it  is  usually  difficult  to  justify  struc- 
tural modifications  on  economic  grounds,  and  it  may  be  necessary  to 
perform  frequent  inspections  of  items  that  have  been  identified  as 
approaching  their  fatigue  lives.  In  this  case  there  is  an  increasing  like- 
lihood that  the  detection  of  a fatigue  crack  will  also  take  the  airplane 
out  of  sendee  for  repair,  and  if  the  cost  of  repair  cannot  be  justified,  it 
may  be  necessary  to  retire  the  airplane.  Whenever  an  active  modi- 
fication policy  is  not  followed,  the  frequency  of  repair  and  the  number 
of  out-of-service  incidents  will  be  a direct  function  of  the  increasing 
age  of  the  airplane. 

It  is  frequently  considered  axiomatic  that  all  structural  inspections 
must  be  intensified  when  an  airplane  reach*5.,  higher  ages.  However, 
this  has  not  necessarily  been  the  experience  with  transport  aircraft 
because  of  the  policy  of  modifying  items  as  coon  as  they  are  identified 
as  nearing  their  fatigue  lives.  Consequently  in  decisions  concerning 
fleet  retirement  the  cost  of  maintaining  structural  integrity  has  been 
secondary  to  such  factors  as  fuel  consumption,  speed,  passenger  accep- 
tance, and  payload/range  capability. 

When  a safe-life  structural  item  reaches  its  defined  life  limit  there 
is  usually  no  alternative  to  replacing  it  with  a new  one.  Thus  an  airplane 
designed  to  safe-life  structural  criteria  must  have  greater  economic 
viability  than  one  designed  as  damage-tolerant  structure  in  order  to 
justify  the  more  expensive  procedures  that  are  required  for  continued 
operation. 
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11*4  INTERVALS:  AN  INFORMATION  PROBLEM 


the  role  of  .ige  exploration 
the  dynamics  of 
product  improvement 


The  difficulty  of  establishing  "correct"  intervals  for  maintenance  tasks 
is  essentially  an  information  problem,  and  one  that  continues  through- 
out the  operating  life  of  the  equipment.  With  the  techniques  of  RCM 
analysis  it  is  fairly  simple  to  decide  what  tasks  to  include  in  a scheduled- 
maintenance  program,  but  the  decision  logic  does  not  cover  the 
intervals  at  which  these  tasks  are  to  be  performed.  Since  rework  and 
economic-life  tasks  are  developed  on  the  basis  of  age  exploration,  the 
intervals  for  these  tasks  cannot  be  determined  until  operating  infor- 
mation becomes  available.  Safe-life  intervals,  which  are  based  on  the 
manufacturer's  test  data,  are  set  prior  to  service  with  the  expectation 
that  operating  information  will  never  become  available.  The  most  effec- 
tive preventive  tool  in  a maintenance  program,  however,  is  on-condition 
inspeclions,  and  in  this  case  there  is  just  not  enough  information  to 
set  fixed  intervals,  even  after  airplanes  are  in  service  and  age  explora- 
tion is  under  way. 

At  the  time  an  initial  program  is  developed  the  available  informa- 
tion is  usually  limited  to  prior  experience  with  similar  items,  famili- 
arity with  the  manufacturer's  design  practices,  and  the  results  of  the 
developmental  and  fatigue  tests  for  the  new  airplane.  With  this  infor- 
mation it  is  possible  to  arrive  at  a rough  estimate  of  the  ages  at  which 
signs  of  deterioration  can  be  expected  to  appear.  However,  the  initial 
intervals  are  then  set  at  cnly  a fraction  of  these  ages.  Indeed,  the  fraction 
may  be  a very  small  one,  to  force  intensive  age  exploration,  if  the 
manufacturer  is  relatively  inexperienced,  if  the  design  contains  new 
materials  or  processes,  or  if  the  airplane  is  to  be  operated  in  an  unfa- 
miliar environment.  While  there  is  some  economic  penalty  in  the  use 
of  such  short  intervals,  the  overall  impact  is  small  because  the  intent 
is  to  increase  the  intervals  on  the  basis  of  actual  operating  data  as  the 
new  fleet  grows  in  sioe. 

The  basic  concept  underlying  on-condition  inspections  is  that  the 
interval  to  the  first  inspection  shruld  be  long  enough  for  some  physi- 
cal evidence  of  deterioration  to  be  seen,  and  the  interval  for  repeat 
inspections  should  be  short  enough  to  ensure  that  any  unit  that  has 
reached  the  potential-failure  stage  will  be  removed  from  service  before 
a functional  failure  can  occur.  In  theory,  then,  it  seems  that  the  problem 
should  merely  be  one  of  using  age  exploration  to  determine  the  appro- 
priate intervals  for  first  inspection  and  repeat  inspections  of  each  item, 
and  that  once  this  is  done  the  intervals  can  be  fixed.  However,  matters 
are  not  quite  that  simple. 

In  most  cases,  particularly  if  the  remaining  service  life  of  the  air- 
plane is  high,  once  the  potential-failure  ages  of  significant  items  have 
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been  identified,  they  will  be  judged  undesirably  low.  Items  will  there- 
fore be  modified  to  increase  their  longevity,  and  there  must  be  another 
age-exploration  cycle  to  determine  the  intervals  appropriate  to  the 
improved  item.  Consequently  any  set  of  initial  and  repeat  intervals  may 
apply  only  from  the  time  the  original  information  becomes  available 
until  the  time  the  modified  item  goes  into  service.  While  the  dynamics 
of  this  process  add  to  the  age-exploration  requirements,  they  also  re- 
duce the  growth  in  the  maintenance  workload  associated  with  short 
repeat  intewals  for  more  items  as  the  airplane  grows  older. 

11*5  RESOLVING  DIFFERENCES  OF  OPINION 

It  is  inevitable  that  there  will  be  differences  of  opinion  concerning  the  benefits  of  a rework  task 

interpretation  of  operating  information  and  the  revisions  that  should  the  need  toT  * safe-life  limit 

be  made  to  the  scheduled-maintenance  program.  In  most  cases  these 
differences  can  be  resolved  by  reference  to  the  principles  underlying 
the  development  of  an  RCM  program. 

One  common  situation  is  that  of  an  item  initially  assigned  to  no 
scheduled  maintenance  which  has  experienced  a high  in-service  failure 
rate.  Although  the  failure  is  one  that  has  no  safety  consequences,  the 
engineer  may  assume  that  all  mechanical  items  have  a wearout  age  and 
that  the  high  failure  rate  is  in  itself  evidence  of  wearou';.  On  this  basis 
he  might  propose  that  the  item  be  assigned  a scheduled  rework  task 
to  improve  its  reliability.  The  data  required  for  an  actuarial  analysis 
are  available  in  this  case,  since  the  failure  rate  is  high;  hence  we  can 
gain  a fair  picture  of  the  item's  age-reliability  characteristics.  If  the  con- 
ditional-probability curve  does  show  an  increase  with  age,  then  the 
failure  rate  that  would  result  from  the  imposition  of  any  given  age  limit 
can  be  computed  as  described  in  Chapter  3. 

So  far  there  is  no  difference  of  opinion.  However,  scheduled  re- 
movals wili  certainly  increase  the  shop  workload.  The  cost  of  the  in- 
creased workload  must  therefore  be  compared  with  the  saving  that 
would  result  from  a reduction  in  the  failure  rate.  If  these  added  costs 
outweigh  the  benefits,  the  task  may  be  applicable,  but  it  is  not  cost- 
effective.  Even  when  the  proposed  task  appears  to  be  cc>  t-effective, 
there  may  be  other  difficulties.  Very  ofi°n  the  items  that  show  high 
failure  rates  in  service  ’ -ere  not  expected  to  do  so.  Thus  the  spare-unit 
inventory  is  already  inadequate  as  a result  of  these  unexpected  fail- 
ures, and  the  same  is  true  of  the  parts  and  tools  needed  for  repairs. 

Consequently  a rework  task,  although  economically  desirable  on  other 

, grounds,  may  be  impractical,  since  adding  scheduled  removals  to  the 

current  workload  would  increase  an  already  serious  logistics  problem/ 

J.  'For  a further  discussion  of  this  point  see  Section  C.5  in  Appendix  C.  SECTION  II  >5  325 
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There  is  usually  no  difficulty  in  reaching  an  agreement  if  it  turns 
out  that  it  is  not  practical  to  implement  a scheduled  rework  task.  Sup- 
pose, however,  that  the  conditional-probability  curve  shows  that  a re- 
work task  is  not  applicable  to  the  item  in  question.  In  this  case  the 
difference  of  opinion  may  be  more  difficult  to  resolve.  The  engineer 
may  want  to  know  why  the  actuarial  curves  do  not  support  his  intui- 
tive belief  that  a high  failure  rate  is  synonymous  with  wearout,  and  an 
analyst  working  with  statistical  data  is  often  not  equipped  to  explain 
why  a particular  item  does  not  show  wearout  characteristics.  The  situa- 
tion may  be  further  complicated  when  teardown  inspections  show  the 
surviving  units  to  be  in  poor  physical  condition.  There  have  been  many 
instances  in  which  highly  qualified  inspection  teams  have  judged  the 
parts  of  time-expired  samples  to  be  in  such  poor  condition  that  they 
could  not  have  survived  to  a proposed  higher  age  limit.  Nevertheless, 
when  these  items  were  allowed  to  continue  in  service  with  no  age 
limit,  subsequent  analysis  of  their  operating  histories  showed  no  actual 
increase  in  their  failure  rates.  Under  these  circumstances  the  discrepancy 
is  between  two  sets  of  physical  facts,  and  while  the  difference  of  opinion 
may  not  be  resolved,  an  understanding  of  the  principles  discussed  in 
Chapters  2 and  3 will  at  least  provide  the  basis  for  arriving  at  a decision. 

Occasionally  the  problem  is  one  that  requires  reference  to  the 
decision  logic  itself.  The  following  situation  is  more  complex,  end 
fortunately  far  less  common.  The  initial  maintenance  program  for  the 
Douglas  DC-8  called  for  lubrication  of  the  flight-control  elevator  bear- 
ings at  every  D check.  At  this  time  half  the  bearings  were  to  be  removed 
and  inspected;  those  in  good  condition  were  then  reinstalled  and  the 
others  were  scrapped.  Tfjis  task  specification  had  remained  in  the 
program  without  change  for  many  years.  During  that  time  there  had 
been  major  extensions  of  the  D-check  interval,  and  the  interval  for 
newer  planes  entering  the  fleet  had  reached  17,000  hours.  When  these 
later  planes  aged  to  the  D-check  interval,  however,  the  inspections 
showed  that  many  of  the  bearings  were  badly  corroded.  The  inner 
race  was  difficult  or  impossible  to  turn  by  hand,  and  when  it  could  be 
turned,  some  of  the  bearings  felt  rough.  Obviously  the  interval  between 
lubrications  had  become  too  long,  and  it  was  reduced  accordingly  to 
the  C-check  interval.  But  the  problem  was  what  to  do  about  the  high- 
time bearings  in  the  rest  of  the  operating  fleet.  One  group  insisted  that 
the  situation  was  critical  and  that  all  high-time  bearings  would  have  to 
be  removed  from  service  immediately;  this  was  tantamount  to  imposing 
a safe-life  limit  on  the  bearings.  Another  group  felt  that  such  drastic 
action  was  not  warranted. 

For  a clearer  picture  of  the  problem  let  us  consider  the  bearing  it- 
self as  a significant  item.  This  item  is  a roller  bearing  housed  in  a fitting 
attached  to  the  stabilizer.  A hinge  bolt  on  the  elevator  passes  through 


the  bearing  to  form  a control-surface  hinge.  The  function  of  the  bearing 
is  to  reduce  friction  and  wear  (and  consequent  free  play)  in  the  rotating 
joint.  Only  two  types  of  failure  are  important:  wear  or  mechanical  dam- 
age, resulting  in  looseness  or  free  play  in  the  bearing,  and  unacceptable 
operating  friction,  leading  to  seizure  of  the  inner  and  outer  bearing 
races.  This  latter  failure  mode  is  the  one  of  concern. 

The  designer's  description  of  the  control  system  for  this  aircraft 
states  in  part:* 

Flight  control  surface  hinges  and  pilot  control  system  rotating  joints 
were  designed  to  be  tolerant  of  inevitable  deterioration  and/or 
possible  failure  of  bearings.  Possible  seizure  of  a bearing's  inner 
and  outer  races  is  compensated  for  by  assuring  that  the  bearing's 
function  is  transferred  to  the  rotating  joint's  pin  or  shaft.  Friction 
in  th  ■ auld  increase  considerably  in  this  event,  but  would 

not  v relative  motion  between  components.  Control  surface 
momef-ts  about  the  hinge  line  are  so  great  that  bearing  seizure  can- 
not impede  surface  travel.  Control  surface  hinges  and  other  rotating 
joints  that  would  be  adversely  affected  by  bearing  free  play  are 
redundant  such  that  deterioration  or  failure  of  the  bearing  in  this'x 
mode  will  not  create  intolerable  levels  of  looseness  or  structural 
loading  of  the  connection  and  will  not,  therefore,  affect  the  air- 
worthiness of  the  airplane. 

If  we  apply  the  decision  logic  to  these  characteristics,  we  see  im- 
mediately that  a loss  of  function  in  this  bearing  will  not  be  evident  to 
the  operating  crew.  When  flight  tests  were  conducted  on  equipment 
with  high-time  bearings,  the  handling  characteristics  of  the  airplane 
were  normal  even  though  subsequent  inspections  showed  that  the 
bearings  were  seriously  deteriorated.  However,  while  a bearing  failure 
has  no  direct  effect  on  safety,  its  function  is  hidden.  Therefore  a sched- 
uled task  for  the  bearing  is  required  to  avoid  the  risk  of  a multiple 
failure.  The  first  possibility  in  the  hidden-function  sequence  is  an  on- 
condition  task,  and  we  find  that  there  is  already  such  a task  in  the 
program  Combined  with  more  frequent  lubrication,  the  scheduled 
inspection  of  the  bearings  for  wear  should  ensure  adequate  availability 
(although  the  interval  for  this  task  might  require  adjustment  as  well). 

The  conclusion  in  this  case  was  that  the  situation  was  not  critical 
and  there  was  no  need  to  impose  a safe-life  limit  on  the  bearing.  How- 
ever, those  airplanes  with  high-time  bearings  that  might  already  have 
been  affected  by  inadequate  lubrication  were  scheduled  for  bearing 
inspection  prior  to  20,000  hours  as  a failure-finding  task. 


*R.  N.  Frankel,  Douglas  Aircraft  Company,  letter  to  R.  M.  Casterline,  United  Airlines, 
September  25,  1974. 
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11  ‘6  PURGING  THE  PROGRAM 


conducting  the  review 
typical  findings 


One  of  the  most  important  activities  in  the  management  of  an  ongoing 
maintenance  program  is  periodic  purging  of  the  entire  program,  an 
organized  review  of  all  scheduled  tasks  to  identify  those  that  are  no 
longer  worth  continuing.  Often  the  conditions  that  originally  supported 
the  inclusion  of  a specific  task  will  have  changed,  and  the  task  can  now 
be  deleted  from  the  program.  Moreover,  in  a maintenance  organization 
concerned  with  complex  equipment  many  different  groups  will  be 
responsible  for  adding  tasks  to  the  program,  and  the  additions  are 
often  made  without  enough  attention  to  the  totality  of  scheduled  tasks. 
For  this  reason  it  is  necessary  to  conduct  a formal  review  every  three 
to  five  years  to  purge  the  program  of  all  tasks  that  have  become  super- 
fluous. The  results  can  be  impressive.  In  such  a review  of  the  Boeing  747 
program  after  the  airplane  had  been  in  service  for  six  years,  so  many 
tasks  were  eliminated  from  the  phase-check  package  (a  combination 
of  B and  C checks)  that  the  manhours  required  to  ac  omplish  the  sched- 
uled work  in  this  package  were  reduced  by  21  percent. 

The  review  should  be  conducted  by  a special  team,  with  represen- 
tatives from  each  of  the  organizational  groups  concerned  with  the 
maintenance  program.  The  people  selected  must  be  knowledgeable  and 
objective  and  fully  prepared  to  challenge  the  continued  requirement 
for  any  scheduled  task.  Once  the  group  has  been  assembled,  it  will 
ordinarily  be  responsible  for  developing  review  standards  and  proce- 
dures, collecting  and  summarizing  data,  and  assembling  review  pack- 
ages consisting  of  task  job  cards,  a sample  of  typical  inspection  find- 
ings, and  a list  of  the  review  procedures.  The  review  packages  are 
then  processed  through  the  various  departments  involved,  including 
production  (maintenance  shops),  production  planning,  reliability  anal- 
ysis, and  engineering,  after  which  they  are  returned  to  the  review  team 
for  resolution  of  any  disagreements.  The  review  team  then  obtains  ap- 
proval for  the  changes  and  repackages  the  tasks  for  implementation. 
Certain  findings  are  typical  in  such  a review: 

► Scheduled  tasks  that  do  not  meet  the  criteria  for  applicability  and 
effectiveness;  these  can  be  deleted  from  the  program. 

► Tasks  that  originally  met  these  criteria  but  are  no  longer  effective 
because  of  subsequent  modifications  to  the  equipment;  these  can 
be  deleted  from  the  program. 

► The  absence  of  tasks  that  do  meet  the  criteria;  these  can  be  added. 

► Tasks  that  are  duplicated;  the  duplication  can  be  eliminated. 
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► Task  intervals  that  are  either  too  long  or  too  short;  these  intervals 
can  be  adjusted. 

► Job  cards  that  either  do  not  clearly  define  the  requirements  of  the 
task  and  the  procedures  to  be  followed  or  do  not  reflect  the  intent 
of  the  engineering  department;  these  can  be  revised. 

The  final  result  of  the  review  will  be  a more  effective  program,  as  well  as 
a less  costly  one. 
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CHAPTER  TWELVE 


the  role  of  scheduled  maintenance 


THIS  CHAPTER  is  a reprise.  It  brings  together  the  concepts  discussed  in 
preceding  chapters  to  expand  in  several  areas  on  the  role  of  scheduled 
maintenance.  One  of  these  areas  is  the  relationship  of  safety,  reliability, 
and  scheduled  maintenance  as  it  pertains  to  the  modem  air-transport 
industry.  In  particular,  we  will  examine  the  current  safety  level  of  trans- 
port airplanes,  the  manner  in  which  this  basic  safety  level  is  affected  by 
various  types  of  functional  failures,  and  the  proposed  requirement  that 
the  likelihood  of  certain  failures  not  exceed  one  in  a billion  flights.  We 
will  also  consider  the  design-maintenance  partnership  and  the  type  of 
relationship  necessary  both  to  realize  the  inherent  safety  and  reliability 
of  the  equipment  and  to  identify  the  specific  design  modifications  that 
will  improve  it. 

In  the  preceding  chapters  we  have  discussed  the  development  and 
evolution  of  RCM  programs  for  new  equipment.  Because  operating  data 
are  already  available  for  in-service  fleets,  it  is  a simple  matter  to  extend 
RCM  analysis  to  the  many  types  of  airplanes  that  are  currently  being 
supported  by  maintenance  programs  developed  along  other  lines.  How- 
ever, the  same  principles  extend  to  any  complex  equipment  that  requires 
a maintenance  support  program.  Although  older  designs  may  have  more 
limited  capability  for  on-condition  inspections  to  protect  functional 
reliability,  RCM  analysis  will  pinpoint  their  specific  maintenance  re- 
quirements, and  thus  permit  the  elimination  of  costly  tasks  which  are 
not  applicable  and  effective. 
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1 2 • 1 SAFETY,  RELIABILITY,  AND 
SCHEDULED  MAINTENANCE 


As  we  have  seen  throughout  this  volume,  the  failure  process  is  a pheno- 
menon that  cannot  be  avoided  by  any  form  of  preventive  maintenance. 
However,  by  focusing  on  this  process  in  each  item  whose  function  is 
essential  to  the  aircraft,  RCM  programs  ensure  that  the  maximum  capa- 
bilities of  preventive  maintenance  are  used  to  prevent  those  functional 
failures  which  impair  safety  or  operating  capability.  The  nature  and 
extent  of  the  impairment  — the  consequences  of  a particular  failure  — as 
well  as  the  feasibility  of  protecting  against  it,  depend  on  the  design  of 
the  equipment  itself.  It  is  possible  to  design  equipment  in  such  a way 
that  individual  failures  do  not  affect  operating  safety,  or  else  with  spe- 
cific provisions  for  controlling  such  failures  by  scheduled  maintenance. 
These  design  characteristics  determine  the  inherent  safety  level  of  the 
equipment. 

There  is  no  really  satisfactory  analytic  determination  of  the  inher- 
ent safety  level  associated  with  current  airworthiness  requirements  for 
transport  airplanes.  There  have  been  instances  in  which  modem  swept- 
wing  jet  aircraft  have  not  had  the  structural  or  performance  capability  to 
survive  the  conditions  they  encountered  even  when  their  structures 
were  intact  and  all  engines  were  functioning  normally.  The  number  of 
these  accidents  is  too  small  to  provide  meaningful  statistics,  but  in 
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rough  terms  we  might  say  the  safety  level  of  modem  transport  aircraft 
whose  capabilities  have  not  been  reduced  by  any  functional  failures  is 
somewhere  on  the  order  of  lO-7,  or  1 accident  per  10  million  flights. 
Let  us  therefore  examine  the  way  in  which  safety  levels  are  reduced  by 
functional  failures  and  the  role  of  scheduled  maintenance  in  preventing 
this  reduction.  J 

SYSTEMS  FAILURES 

A complete  loss  of  certain  system  functions  would  have  critical  conse- 
quences for  the  aircraft;  for  example,  a loss  of  all  electrical  power  in 
weather  that  requires  instrument  procedures  would  clearly  jeopardize 
the  equipment  and  its  occupants.  Other  system  functions,  such  as 
pressurization  and  air  conditioning,  are  more  forgiving;  pilots  can  com- 
pensate for  the  loss  by  changing  the  conduct  of  the  flight  and,  if 
necessary,  by  making  an  unscheduled  landing.  In  this  case  the  loss  of 
function  affects  operational  capability,  but  it  is  not  critical.  There  are 
many  other  functions  whose  loss  has  only  minor  operational  conse- 
quences or  none  at  all.  However,  the  designer  of  an  aircraft  system  can 
always  ensure  that  the  complete  loss  of  a particular  function  will  be 
extremely  unlikely  simply  by  replicating  the  items  that  provide  that 
function. 

The  availability  of  a system  function  is  usually  a go/no-go  situation; 
either  the  function  is  available  to  the  airplane  or  it  is  not.  When  the 
source  of  a function  is  duplicated  the  probability  of  its  becoming  un- 
available during  a given  flight  is  very  small.  If  a failure  of  one  source 
does  occur,  the  function  is  still  available.  Thus,  although  there  may  be 
many  flights  during  which  one  source  of  the  function  fails,  the  risk  level 
associated  with  any  flight  is  the  probability  of  a joint  event -a  failure  of 
one  source,  followed  during  the  same  flight  by  an  independent  failure 
of  the  remaining  source.  After  the  first  failure,  however,  the  overall 
exposure  per  flight  hour  during  the  remainder  of  the  flight  becomes 
considerably  higher,  (see  Section  2.4).  Consequently  the  actual  risk  level 
may  vary  not  only  during  the  course  of  the  flight,  depending  on  the 
occurrence  or  nonoccurrence  of  a first  failure,  but  also  from  one  flight 
to  another,  depending  on  the  duration  of  the  flight.  The  risk  level  also 
varies,  of  course,  with  the  inherent  reliability  of  the  item  and  the  degree 
to  which  the  function  in  question  is  essential  to  the  aircraft. 

This  situation  is  illustrated  in  Exhibit  12.1.  In  a system  with  two 
independent  sources,  point  A represents  normal  performance  when  all 
the  items  associated  with  both  sources  are  serviceable.  Functional 
performance  at  the  airplane  level  will  still  be  normal  after  a failure  of 
one  of  these  sources,  but  the  risk  per  flight  hour  of  a complete  loss  of 
function  is  now  much  higher  during  the  remainder  of  the  flight.  Except 
for  servicing  and  lubrication,  scheduled  maintenance  usually  can  do 
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EXHIBIT  11*1  The  effect  on  operating  safety  of  functional  failures  in 
the  systems  division. 


very  little  to  reduce  the  failure  frequencies  of  individual  complex  items 
in  the  systems  division.  Failure-finding  tasks  will  ensure  the  repair  of 
items  that  have  already  failed,  but  if  the  failure  rate  proves  unacceptably 
high,  the  only  way  to  improve  the  reliability  of  such  items  is  by  design 
changes.  The  information  derived  from  operating  experience  will  indi- 
cate very  clearly  the  areas  in  which  such  action  is  needed. 

POWERPLANT  FAILURES 

A complete  loss  of  all  propulsive  power  in  an  aircraft  is  always  critical. 
Once  again,  however,  the  likelihood  of  such  a loss  is  made  extremely 
remote  by  replication  of  the  basic  engine  function  on  multiengine  trans- 
port airplanes.  In  some  cases  this  protection  is  also  supported  by  certain 
operating  restrictions.  For  example,  the  length  of  overwater  flights  for 
twin-engine  airplanes  in  commercial  service  is  restricted  to  ensure  that 
the  airplane  will  not  have  to  fly  more  than  one  hour  if  an  engine  be- 
comes inoperative.  Similarly,  transport  aircraft  operating  on  trans- 
oceanic flights  are  restricted  in  weight  to  ensure  that  with  two  engines 
inoperative  the  remaining  engines  will  still  provide  the  specified  rate 
of  climb. 

Although  the  design  goal  is  assurance  of  adequate  power  to  over- 
come any  conditions  that  the  airplane  may  encounter,  there  is  still  the 
remote  possibility  of  extreme  turbulence  or  wind  shear  that  it  cannot  sur- 
vive even  with  all  engines  operative.  When  one  or  more  engines  are  in- 
operative, even  though  the  remaining  engines  provide  the  required 
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minimum  thrust,  the  airplane's  performance  capabilities  are  reduced. 
Thus  there  is  an  increased  risk  during  the  remainder  of  the  flight  thiu 
it  will  encounter  conditions  that  cannot  be  handled.  This  risk  may  vary 
during  the  course  of  a flight,  since  it  is  higher  after  an  engine  shutdown 
than  it  is  when  all  engines  can  develop  full  power.  The  safety  level  may 
also  vary  from  flight  to  flight,  since  airplanes  fly  at  different  weights 
below  the  maximum  permissible  ones,  and  airport  conditions,  en  route 
terrain,  and  atmospheric  conditions  all  vary  from  one  flight  to  another. 

The  general  effect  of  an  in-flight  engine  shutdown  on  the  le^el  of 
operating  risk  is  illustrated  in  Exhibit  12.2.  The  performance  capability 
of  the  airplane,  and  hence  the  risk  level,  can  be  measured  in  terms  of 
available  rate  of  climb.  The  risk  is  lowest  when  all  the  engines  can  gen- 
erate full  power  and  increases  as  the  airplane  has  less  reserve  power  to 
draw  upon.  Unlike  most  systems  functions,  however,  the  situation  is 
not  limited  to  the  two  cases  defined  by  points  A and  B.  Since  an  engine 
failure  is  defined  as  the  inability  to  develop  a specified  amount  of 
thrust,  there  are  many  functional  failures  in  which  power  is  reduced, 
but  not  entirely  lost.  Thus  the  risk  level  may  fall  at  various  points  be- 
tween A and  B. 

In  multiengine  aircraft  the  primary  control  in  maintaining  a safe 
level  of  available  performance  is  flight-by-flight  control  of  the  oper- 
ating weight  of  the  airplane.  Whenever  the  actual  operating  weight 
is  less  than  the  maximum  performance-limited  weight,  the  available 
rate  of  climb  is  increased  accordingly.  The  effect  of  this  weight  reduction 
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on  the  risk  level  is  shown  in  Exhibit  12.2.  Scheduled  maintenance  does 
play  a secondary  role,  however,  since  it  reduces  the  frequency  of  engine 
failures,  and  hence  the  frequency  with  which  the  risk  level  approaches 
point  B.  In  the  case  of  single-engine  aircraft,  of  course,  scheduled  main- 
tenance is  the  primary  control,  since  there  is  only  one  source  of  p r 
regardless  of  the  operating  weight. 

Scheduled  maintenance  can  accomplish  much  more  for  engines  than 
it  can  for  some  of  the  systems  items.  Because  modem  aircraft  engines 
are  designed  to  facilitate  the  use  of  advanced  inspection  technology, 
many  parts  of  the  engine  can  be  inspected  without  removing  them  from 
the  airplane.  Thus  on-condition  tasks  can  be  employed  to  protect  indi- 
vidual engines  against  many  types  of  functional  failures,  and  safe-life 
tasks  usually  prevent  the  few  types  of  failures  that  can  cause  critical 
secondary  damage.  While  the  inherent  level  of  risk  depends  on  the 
degree  of  engine  replication  an<’  the  design  features  of  individual  en- 
gines, the  overall  effect  of  scf  eduled  maintenance  for  a multiengine 
airplane  is,  in  fact,  equivalent  to  the  effect  that  could  be  achieved  by  a 
reduction  in  operating  weight. 

STRUCTURAL  FAILURES 

The  consequences  of  a structural  failure  depend  on  the  design  chaict- 
teristics  of  the  structure,  but  the  functional  failure  of  any  major  assembly 
is  usually  critical.  With  the  exception  of  the  landing  gear,  it  is  rarely 
possible  to  replicate  major  structural  assemblies;  hence  scheduled 
maintenance  is  the  only  technique  available  to  control  the  likelihood  of 
functional  failures.  Although  it  usually  includes  some  safe-life  tasks,  the 
maintenance  program  consists  for  the  most  part  of  on-condition  inspec- 
tions directed  at  specific  structural  sites.  It  is  possible  to  rely  on  on- 
condition  tasks,  not  only  because  they  are  applicable  in  all  cases,  but  also 
because  most  modern  aircraft  structures  are  designed  to  be  damage- 
tolerant  — that  is,  they  are  designed  to  ensure  that  the  residual  strength 
of  a structural  assembly  meets  specified  standards  after  the  fracture  of 
an  individual  element.  Although  the  objective  of  the  inspections  is  to 
prevent  the  fracture  of  single  elements,  the  practice  of  damage-tolerant 
design  ensures  that  a structural  assembly  will  still  be  capable  of  with- 
standing the  defined  damage-tolerant  load  in  the  event  that  a fracture 
does  occur. 

As  in  the  case  of  the  powerplant,  there  is  always  the  remote  possi- 
bility that  an  aircraft  structure  will  encounter  loading  conditions  it 
cannot  withstand  even  though  there  has  been  no  reduction  of  its 
original  strength.  Again,  the  risk  level  can  also  vary  during  a single 
flight  and  from  one  flight  to  another.  If  a structural  element  fractures 
in  the  course  of  a flight,  the  residual  strength  will  be  slightly  lower 
during  the  remainder  of  the  flight.  Similarly,  since  the  fractured  element 
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EXHIBIT  12 '3  The  effect  on  operating  safety  of  functional  failures  in 
the  structure  division. 


may  not  be  discovered  and  repaired  until  the  next  inspection,  the  risk 
level  can  vary  from  flight  to  flight,  depending  on  whether  a fracture  has 
occurred  and  the  effect  on  residual  strength  of  the  particular  element 
that  fractures.  In  addition,  the  operating  weights  of  individual  airplanes 
may  be  much  less  than  the  required  structural  limits,  and  there  is  a wide 
variation  — sometimes  from  one  moment  to  the  next  - in  atmospheric 
conditions. 

Exhibit  12.3  illustrates  the  general  effect  that  functional  failures 
(fractures)  of  individual  structural  elements  have  on  the  risk  level  asso- 
ciated with  damage-toierant  assemblies.  The  assembly  itself  will  suffer 
a critical  loss  of  function  if  it  cannot  withstand  any  load  to  which  the 
airplane  is  exposed.  The  risk  of  such  an  event  is  lowest  when  the  struc- 
ture is  intact,  at  point  A.  Tne  operating  weight  of  the  airplane  is  restricted 
to  ensure  that  the  structure  can  withstand  certain  defined  loading  con- 
ditions in  its  undamaged  state;  it  must  also  be  able  to  withstand  the 
defined  damage- tolerant  load  at  the  same  weight.  After  a failure  occurs, 
the  risk  level  increases  to  point  B and  remains  at  this  level  until  the 
damage  is  found  and  corrected.  As  in  the  powerplant  division,  however, 
the  actual  operating  risk  can  assume  any  value  between  A and  B,  and  the 
risk  under  any  specific  set  of  conditions  is  reduced  when  the  operating 
weight  is  less  than  the  maximum  permissible  structural  weight. 

The  primary  control  of  the  safety  level  for  structures,  then,  is  pro- 
vided by  damage- tolerant  design  practices  and  the  control  of  operating 
weights.  The  role  oi  scheduled  maintenance  in  this  case  >s  to  prevent 
the  fracture  of  individual  elements  by  detecting  fatigue  cracks  in  these 
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elements  soon  after  they  occur.  When  the  program  is  effective,  the 
operating  risk  rarely  rises  above  the  level  represented  by  point  A.  Once 
again,  the  overall  effect  of  scheduled  maintenance  is  equivalent  to  the 
effect  that  would  be  achieved  by  a reduction  in  operating  weight. 


12*2  AIR-TRANSPORT  SAFETY  LEVELS 


THE  PROBLEM  Of  RISK  EVALUATION 

As  we  have  seen,  there  is  a remote  but  undetermined  risk  level  associ- 
ated with  an  airplane  before  its  resistance  to  failure  is  reduced  by  any  of 
the  forms  of  impairment  to  which  it  is  exposed.  This  inherent  level  is 
increased  by  functional  failures,  Tut  the  amount  of  increase  depends  on 
such  design  features  as  the  replication  of  essential  functions  and  the 
use  of  multiple  toad  paths  in  damage-tolerant  structures.  Scheduled 
maintenance  merely  reduces  the  frequency  with  which  functional 
failures  occur,  and  hence  the  frequency  with  which  the  basic  risk  levels 
are  exceeded.  Unfortunately,  however,  we  have  no  precise  means  of 
assessing  either  the  inherent  level  of  risk  or  the  increased  risks  that  do 
result  from  failures. 

At  first  glance  the  assessment  of  risks  in  the  systems  division  might 
seem  to  be  a simple  ma<  r of  computing  flight  hours  and  the  failure 
rates  of  individual  items.  The  problem  is  not  this  straightforward,  how- 
ever, because  the  results  of  these  considerations  must  be  modified  by  a 
probability  distribution  rep  esenting  the  degree  to  which  each  function 
is  essential  for  the  safety  of  any  individual  flight.  Another  important 
variable,  and  one  that  is  least  amenable  to  analytic  treatment,  is  the 
ability  of  the  pilot  to  respond  to  and  compensate  for  many  types  of  sys- 
tems failures. 

Risk  evaluation  in  the  powerplant  and  structure  divisions  is  even 
more  difficult.  Airplane  performance  and  structural-strength  require- 
ments have  slowly  increased  over  the  years  as  a result  of  the  few  ac- 
cidents that  have  occurred,  until  they  have  become  stringent  enough  to 
produce  the  current  safety  record.  Thus  both  performance  and  strength 
requirements  are  based  on  empirical  data  associated  with  the  rare-events 
end  of  a probability  distribution  describing  the  conditions  that  airplanes 
must  be  able  to  withstand.  The  problem  of  assessing  the  basic  risk  level 
for  any  individual  airplane  is  further  complicated  by  operating  weights 
which  are  usually  much  less  than  the  airworthiness  limits  and  flight 
procedures  which  may  differ  markedly  from  those  assumed  for  air- 
worthiness purposes.  Consequently,  even  if  the  effect  of  each  reduction 
in  failure  resistance  could  be  evaluated  satisfactorily,  we  have  no  means 
of  determining  the  actual  level  fro:  which  the  increase  should  be 
measured. 


the  problem  of  risk  evaluation 
the  dilemma  of 
extreme  improbability 
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^ ^ Fatal  accident  rates  for  all  United  States  air  carriers 
over  an  eleven-year  period.  The  lower  curve  represents  the  accidents  that 
involved  a mechanical  failure.  (Based  on  National  Transport  Safety 
Board  statistics,  1965-1975) 


Although  accident  statistics  do  not  provide  enough  data  So  estab- 
lish meaningful  safety  levels,  a review  of  the  National  Transportation 
Safety  Board  statistics  for  the  eleven-year  period  of  1965-1975  shows 
the  general  trends  plotted  in  Exhibit  12.4.  The  data  represent  all  fatal 
accidents  on  domestic  and  international  operations  of  United  States  air 
carriers  (excluding  training,  ferry,  and  military'  flights)  over  a period 
representing  approximately  54  million  flights.  During  these  eleven 
years  there  was  a total  of  523  accidents  from  all  causes,  both  fatal  and 
nonfatal,  and  of  the  73  fatal  accidents,  11  were  either  caused  by  or  in- 
volved a mechanical  failure  and  54  were  landing  accidents. 

The  causes  cf  these  11  accidents  were  classified  as  shown  in  Exhibit 
12.5  to  identify  the  ones  that  scheduled  maintenance  might  have  been 
able  to  prevent.  Even  with  the  benefit  of  hindsight,  it  is  unlikely  that 
additional  or  more  effectively  performed  maintenance  could  have  re- 
duced the  rate  by  more  than  half.  The  residual  accident  rate,  which 
includes  some  failures  of  apparently  sound  structure  in  extreme  turbu- 
lence, appears  to  be  1 per  10  million  flights.  Scheduled  maintenance 


probably  never  will  be  prescient  enough  to  prevent  the  first  occurrence 
of  certain  completely  unanticipated  types  cl  failure,  even  though  recur- 
rences can  be  prevented.  Thus  it  will  be  very  difficult  to  reduce  the  rate 
of  such  accidents  to  less  than  1 in  10  million  flights. 

THE  DILEMMA  OF  EXTTtEME  IMPROBABILITY 

The  current  airworthiness  regulations  for  transport  airplanes  cover  many 
aspects  of  aircraft  design— structural  strength,  powerplant  character- 
istics, airplane  performance  characteristics,  flight-handling  qualities, 
and  systems  characteristics.  These  regulations  are  directed  not  only  at 
reducing  the  likelihood  of  various  types  of  failure,  but  also  at  mitigating 
the  consequences  of  those  failures  that  will  inevitably  occur.  Thus 
there  are  detailed  requirements  for  damage-tolerant  structure  and  for 
the  residual  performance  capabilities  of  the  airplane  after  one  (or  more 
than  one)  engine  has  lost  power.  In  addition,  there  are  many  require- 
ments to  ensure  that  the  operating  crew  will  be  capable  of  handling  the 
airplane  safely  after  a failure  has  occurred.  These  airworthiness  regu- 
lations have  resulted  in  a commendable  safety  record  for  transport 
aircraft. 


EXHIBIT  12  "5  Classification  of  fatal  air-carrier  accidents  involving 
mechanical  failures. 


cause  of  accident 


no.  of  preventable  by 

accidents  scheduled  maintenance 


Failure  of  apparently  undamaged  2 No 

structure  in  turbulence 

Failure  of  damaged  structure: 

Airplane  1 Yes 

Helicopter  2 ? 

Failure  of  flight-control  system  1 Yes 

Secondary  damage  associated 
with  functional  failures: 

Auxiliary-power  unit  1 t 

Propulsion  system  1 Yes 

Propeller  1 ? 

Obscure  (functional  failures  2 7 

involved,  but  role  in  sequence 
of  events  leading  to  accident 

cannot  be  identified)  

11  ~3  yes 

2 no 
6? 


I 
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The  regulations  include  a certification  process  to  verify  that  the 
design  requirements  have  in  fact  been  met,  and  it  then  becomes  the 
responsibility  of  the  operating  r rganization  to  maintain  the  equipment 
in  such  a way  that  the  design  characteristics  are  preserved.  The  operator 
must  also  ensure  that  the  flight  crews  are  trained  in  the  procedures 
necessary  to  cope  with  various  types  of  failures.  A unique  problem  is 
now  being  encountered , however,  with  certain  systems  whose  functions 
cannot  be  duplicated  by  the  human  flight  crew.  This  situation  introduces 
the  possibility  that  at  some  time  a relatively  unlikely  sequence  of  fail- 
ures, some  of  them  perhaps  hidden,  might  result  in  the  loss  of  one  or 
more  functions  that  are  essential  to  operating  safety. 

The  design  objective,  of  course,  is  to  ensure  that  such  critical  fail- 
ures are  extremely  improbable,  and  the  FAA  has  suggested  that  extremely 
improbable  be  defined  as  an  expected  failure  rate  of  no  more  than  1 per 
billion  flights  (or  operating  hours,  as  applicable).  Even  when  an  analysis 
based  on  assumed  failure  rates  does  indicate  that  the  requirement  will 
be  met,  the  validity  of  the  assumed  rate  cannot  be  determined  in  the 
limited  amount  of  flying  done  during  the  certification  tests.  A further 
proposal,  therefore,  is  that  the  maintenance  intervals  be  reduced  if 
actual  failure  rates  are  higher  than  those  assumed  for  the  calculations.  A 
reliability-stress  analysis  based  on  assumed  failure  rates  may  be  quite  in- 
volved even  for  a simple  system.  For  example,  the  Boeing  727  automatic- 
takeoff  thrust  control  is  a nonredundant  system  whose  failure  can  be 
caused  by  the  failure  of  any  one  of  approximately  100  different  items, 
some  of  which  have  hidden  functions.  The  item  considered  to  be  the 
least  reliable  in  this  system  was  a fuel-control  unit  that  had  an  estimated 
mean  time  between  failures  of  167,000  hours.  To  meet  the  extreme- 
improbability  requirement,  however,  the  availability  oi  this  unit  would 
have  to  be  protected  by  a failure-finding  interval  of  only  125  hours.* 

The  question,  of  course,  is  whether  such  intensive  maintenance 
to  meet  this  probability  requirement  is  necessary  or  can  possibly  achieve 
the  desired  result.  One  in  a billion,  or  10-H,  is  a very,  very  small  number. 
There  probably  have  not  been  a billion  airplane  flights  since  the  Wright 
brothers  took  to  the  air.  To  put  it  another  way,  a billion  flights  repre- 
sents 200  years  of  operation  at  the  current  activity  level  of  the  United 
States  air  carrier  industry.  A risk  level  of  10~”  is  1 percent  of  the  current 
residual  accident  rate  that  cannot  be  reduced  by  scheduled  maintenance, 
and  it  is  one-fifth  of  1 percent  of  the  current  landing-accident  rate.  On 
this  basis  the  proposed  requirement  seems  unrealistic.  In  feet,  it  may 
even  be  counterproductive,  since  it  is  likely  to  prevent  the  development 
of  systems  that  would  improve  safety  even  though  they  cannot  satisfy 
the  extreme- probability  criterion.  The  real  issue,  however,  is  whether 

‘For  a discussion  of  this  analysis  see  J.  j.  Treacy,  Use  of  Probability  Analysis  in  Aircraft 
Certification  and  Its  Effects  on  Maintenance  and  Equipment  Maintenance,  AIAA  Aircraft 
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it  is  possible  to  develop  an  analytic  model  for  evaluating  new  systems 
that  is  in  itself  accurate  to  anything  approaching  this  order  of  magnitude. 

Under  the  circumstances,  although  reliability-stress  analysis  is  a 
valuable  tool  for  comparing  alternative  design  approaches,  its  appli- 
cation to  actual  operating  and  maintenance  requirements  would  be  dif- 
ficult to  justify.  Further  work  is  clearly  necessary  to  develop  a more 
viable  approach  to  the  problem. 


12*3  THE  DESIGN-MAINTENANCE  PARTNERSHIP 

The  interrelationship  between  design  and  maintenance  is  perhaps  most  requirements  for 

* 4 effective  maintenance 

apparent  in  the  case  of  aircraft.  On  one  hand,  the  design  of  the  equip-  requirements  fo- 
ment determines  its  inherent  reliability  characteristics,  including  the  product  improvement 
consequences  of  functional  failures;  on  the  other  hand,  scheduled  main- 
tenance attempts  to  preserve  all  the  safety  and  operating  reliability  of 
which  the  equipment  is  capable.  Realization  of  this  goal,  however, 
requires  a joint  effort  which  has  not  always  been  recognized.  Designers 
have  not  always  understood  the  capabilities  of  scheduled  maintenance 
and  the  practical  limits  on  these  capabilities.  By  the  same  token,  main- 
tenance organizations  have  not  always  had  a clear  grasp  of  the  design 
goals  for  the  equipment  they  maintain.  The  need  for  a cooperative 
effort  has  always  existed,  but  the  comprehensive  analysis  required  by 
RCM  techniques  makes  this  need  far  more  apparent. 

During  the  development  of  a prior-to-service  program  the  iden- 
tification of  significant  items  and  hidden  functions  depends  on  the 
designer's  information  on  failure  effects  as  well  as  the  operator's  knowl- 
edge of  their  consequences.  At  this  stage  the  information  on  anticipated 
failure  modes  and  their  associated  mechanisms  must  also  come  from 
the  designer.  While  the  maintenance  members  of  the  study  group  will 
be  able  to  draw  on  prior  experience  with  similar  materials,  design 
practices,  and  manufacturing  techniques,  this  information  should  be 
complemented  by  the  designer's  advice  concerning  the  ages  at  which 
various  forms  of  deterioration  are  likely  to  become  evident. 

At  a more  fundamental  level,  it  is  important  for  the  designer  to 
bear  in  mind  some  of  the  practical  aspects  of  scheduled  maintenance. 

In  general,  on-condition  inspections  are  the  most  effective  weapon 
against  functional  failures.  However,  it  must  be  possible  to  use  them, 
preferably  without  removing  items  from  their  installed  positions  on  the 
airplane.  Thus  the  designer  must  not  only  help  to  identify  the  items 
for  which  such  inspections  are  applicable,  but  must  also  make  sure 
that  there  is  some  means  of  access  to  the  area  to  be  inspected.  An  equally 
important  factor  is  the  use  of  materials  and  design  features  such  as 
damage  tolerance  which  result  in  a relatively  slow  deterioration  of 

items  intended  for  on-condition  inspections.  SECTION  U’3  341 
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EXHIBIT  12*6  The  design-maintenance  partnership 

Once  the  new  airplane  goes  into  service,  there  will  be  continuous 
refinement  and  improvement  of  the  basic  maintenance  program  as  a 
result  of  age  exploration.  There  will  Jso  be  unanticipated  failures, 
some  of  which  require  immediate  action.  In  these  cases  the  designer’s 
help  is  crucial  in  developing  new  interim  scheduled  tasks  that  will 
control  the  problem  until  design  changes  can  be  developed  and  in- 
corporated in  the  operating  fleet.  Both  the  design  and  maintenance 
organizations  must  work  together  to  identify  the  failure  mechanism, 
because  this  information  is  needed  for  product  improvement  as  well 
as  to  develop  the  interim  tasks.  The  product- improvement  process  and 
its  role  in  the  development  of  all  complex  equipment  was  discussed  in 
detail  in  Section  5.5.  However,  it  entails  a two-way  flow  of  information: 
the  operating  organization  must  identify  the  need  for  an  improvement, 
and  the  manufacturer  must  advise  the  operator  of  the  results  of  his 
continuing  test  programs  and  the  experiences  that  other  users  of  the 
equipment  have  encountered.  The  development  of  airplanes  that  can  be 
more  effectively  maintained  and  achieve  still  higher  levels  of  reliability 
and  safety  depends  on  a continuing  close  partnership,  with  both  design 
and  maintenance  organizations  familiar  with  and  sympathetic  to  each 
342  APPLICATIONS  other's  problems  and  goals. 


12*4  RCM  PROGRAMS  FOL  IN-SERVICE  FLEETS 


Aircraft  have  long  service  lives,  and  many  of  the  airplanes  now  in 
service  are  supported  by  maintenance  programs  developed  on  bases 
quite  different  from  RCM  methods,  For  the  most  part  these  maintenance 
programs  have  evolved  to  the  point  of  providing  adequate  protection 
of  safety  and  operating  capability.  It  is  natural  to  wonder,  however, 
about  the  extent  to  which  an  RCM  program  would  reduce  maintenance 
costs  and  even  improve  the  reliability  of  in-service  fleets.  In  nearly  all 
cases  there  will  be  some  benefits,  although  the  size  of  the  benefits 
will  depend  on  the  nature  of  the  existing  program.  For  an  airline  fleet 
maintained  by  a program  based  on  MSG-2  principles  the  gains  may  be 
minimal,  whereas  a fleet  supported  by  a traditional  program  will  show 
major  savings.  The  gains  will  be  somewhat  attenuated,  however,  by 
the  fact  that  aircraft  designed  under  earlier  design  philosophies  may 
have  fewer  items  capable  of  on-condition  inspections  and  more  with 
hidden  functions. 

The  areas  in  which  RCM  analysis  is  likely  to  provide  the  greatest 
economic  benefits  are  in  the  elimination  of  tasks  that  are  inapplicable, 
particularly  scheduled  rework  (hard-time  overhaul)  of  powerplants  and 
systems  items,  increases  in  task  intervals,  and  a reduction  in  the  number 
of  items  assigned  to  scheduled-maintenance  tasks.  Even  where  all 
present  tasks  do  meet  the  applicability  criteria,  the  analysis  will  fre- 
quently eliminate  a large  number  of  unnecessary  or  overlapping  casks, 
thereby  providing  further  economic  gains.  To  ensure  that  these  gains 
are  realized  it  is  important  to  reduce  the  size  of  the  workforce  to  corre- 
spond to  the  reduction  in  the  maintenance  workload. 

When  there  is  already  an  existing  program  it  is  sometimes  tempting 
to  modify  it  by  subjecting  the  present  tasks  piecemeal  to  RCM  decision 
logic.  This  practice  is  not  recommended,  since  there  is  always  a ten- 
dency to  perpetuate  some  of  the  tasks  that  are  not  really  justified. 
Moreover,  this  approach  will  certrinly  overlook  the  need  for  new  tasks. 
The  best  procedure  is  to  put  the  old  program  aside  and  conduct  a pure 
RCM  analysis  for  the  fleet.  After  the  RCM  program  has  been  completed 
it  should  be  compared  with  the  old  program  and  corrected  for  any  clear 
omissions,  and  the  differences  should  be  evaluated  to  determine  the 
benefits  the  new  program  will  provide. 

It  is  usually  most  efficient  to  set  up  a special  task  force  to  conduct 
the  RCM  analysis.  The  members  of  this  team  should  be  engineers, 
reliability  analysts,  and  possibly  production  or  production-planning 
personnel  who  are  familiar  with  the  type  of  airplane  involved.  The 
analysis  begins  with  the  identification  of  the  items  to  be  considered 
and  the  development  of  worksheets  to  record  the  data  elements  and  the 
decision  process.  Individual  members  of  the  task  force  are  then  assigned 


expected  benefits 
systems  programs 
powerplant  programs 
structure  programs 
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to  collect  the  data  and  complete  the  worksheets  for  each  item.  After  each 
member  has  completed  the  analysis  of  two  or  three  items,  the  results 
should  be  reviewed  by  the  whole  group.  This  review  is  necessary  to 
ensure  a common  understanding  of  the  decision  logic  and  to  improve 
the  definitions  of  functions  nd  failure  modes  being  used.  Usually  the 
review  will  turn  up  a number  of  functions  and  failure  modes  that  have 
been  overlooked. 

Work  should  proceed  quickly  after  this  first  review,  with  different 
members  of  the  task  force  assigned  to  the  various  systems,  the  power- 
plant,  and  the  structure.  Substantial  operating  history  for  an  in-service 
fleet  should  provide  more  than  enough  data  on  reliability  characteristics 
and  cost  factors  to  make  default  answers  unnecessary  for  any  of  the 
proposed  tasks.  When  each  major  portion  of  the  analysis  has  been 
finished,  it  is  reviewed,  any  necessary  adjustments  are  made,  and  all 
the  scheduled  tasks  are  then  consolidated  into  work  packages. 

An  alternative  approach  is  to  have  the  analysis  done  by  the  engi- 
neers who  are  normally  responsible  for  the  maintenance  standards  for 
the  various  items  on  the  airplane.  While  this  method  has  the  advantage 
of  utilizing  the  person  with  the  most  technical  knowledge  to  analyze 
each  item,  it  has  the  drawback  of  involving  a larger  number  of  people, 
with  a consequent  increase  in  the  work  of  training  and  coordination. 

SYSTEMS  PROGRAMS 

The  analysis  of  systems  items  for  an  in-service  fleet  is  similar  to  that 
for  the  initial  program  of  a new  type  of  airplane.  The  chief  difference 
is  that  in  this  case  real  data  are  available  on  reliability  characteristics, 
failure  consequences,  and  costs.  Although  rework  tasks  are  seldom 
applicable  to  systems  items,  the  information  is  on  hand  to  determine 
whether  such  tasks  do  meet  the  applicability  criteria,  and  if  so,  whether 
they  are  cost-effective.  In  fact,  except  for  hidden  functions  and  the 
rare  situation  that  involves  safety  consequences,  all  types  of  tasks  must 
meet  the  condition  of  cost  effectiveness.  The  same  information  also 
makes  it  possible  to  establish  optimum  task  intervals  at  this  stage. 

The  airlines  have  applied  MSG-2  techniques,  the  predecessor  of 
reliability- centered  maintenance,  to  the  systems  of  many  types  of  in- 
service  fleets  with  somewhat  mixed  results.  The  investigation  of  such 
techniques  on  the  Boeing  727  and  737  and  the  Douglas  DC-8  was  part 
of  the  process  that  led  to  MSG-1  and  MSG-2,  and  ultimately  to  RCM 
analysis.  Consequently,  by  the  time  MSG-2  programs  were  developed 
for  these  aircraft  it  was  found  that  the  anticipated  program  revisions 
for  many  items  had  already  been  accomplished  in  a rather  piecemeal 
fashion.  Even  so,  the  formal  reviews  led  to  significant  reductions  in 
the  number  of  scheduled  rework  tasks. 

Exhibit  12.7  shows  the  results  of  an  MSG-2  review  of  the  systems 
program  for  an  in-service  fleet  of  Boeing  727's.  The  differences  are  not 


LI 


disposition  after  review 

no  achadulad 


s 

f 

previom  progwn 

rework 

on-condltion 

maintenance  ! 

1 

l 

! 

f 

Rework 

172 

lltt 

23 

32  ! 

| 

f 

f 

[ 

On-condition* 

SIS 

1 

142 

182 

t 

l 

No  achadulad 
maintenance 

IS 

1 

11 

% 1 

3 1 

| 

i 

s 

Total 

512 

1» 

176 

217  j 

1 

•Many  of  tha  tasks  originally  classified  at  on-condltion  did  not  satisfy  iht  4 ■Hi- 
cability  criteria  for  this  type  of  task.  Soma  were  faihn*- finding  tasks  and  others 
worn  actually  no  scheduled  maintenance  (no  inspections  wen  arl».duled  and  none 
wen  poeaible). 

tTweive  of  the  rework  items  had  shorter  intervals  after  the  review. 


EXHIBIT  12*7  Summary  of  the  changes  in  the  Boeing  727  systems 
program  as  a result  of  MSG-2  review.  (United  Airlines) 


as  dramatic  as  they  would  have  be°n  if  the  existing  program  had  not 
been  undergoing  continuous  change  in  this  direction  as  MSG-2  evolved. 
Another  factor  is  that  many  of  the  rework  tasks  left  in  the  program 
were  for  highly  reliable  items  that  had  been  assigned  very  long  inter- 
vals, such  as  the  major  structural  inspection  interval.  These  rework 
tasks  were  included  not  because  they  met  the  criteria  for  applicability 
and  effectiveness,  but  simply  to  provide  a means  for  occasional  inspec- 
tion in  the  shop.  In  RCM  terminology  these  tasks  would  simply  be  shop 
on-condition  inspections,  although  the  requirement  might  be  met  in- 
stead by  shop  inspection  of  the  older  opportunity  samples. 

As  noted  in  Section  3.5,  there  are  some  other  differences  between 
RCM  and  MSG-2  terminology  for  the  basic  types  of  tasks.  The  category 
now  called  no  scheduled  maintenance  was  termed  condition  monitoring 
under  MSG-2.  MSG-2  also  provided  no  explicit  definition  of  failure- 
finding tasks;  hence  some  of  these  tasks  are  included  in  the  on-condition 
category  and  others  are  included  under  condition  monitoring. 

POWERPLANT  PROGRAMS 

If  the  existing  maintenance  program  for  a turbine  engine  includes  sched- 
uled rework  either  for  the  whole  engine  or  for  its  hot  section,  RCM 
analysis  will  probably  result  in  major  reductions  in  the  maintenance 
workload.  The  review  will  be  far  less  productive  if  the  present  program 
is  already  based  on  the  results  of  opportunity  sampling  and  age  explor- 
ation. The  economic  benefits  may  also  be  somewhat  limited  in  the 
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case  of  a single-engine  airplane.  Although  complete  dverhaul  will  do 
no  more  to  improve  reliability  than  it  would  if  the  engine  were  installed 
on  a multiengine  airplane,  there  is  a natural  tendency  to  specify  all 
possible  tasks  on  the  grounds  of  safety.  (Unlike  turbine  engines,  many 
types  of  piston  engines  do  have  age-related  wearout  characteristics 
and  thus  are  more  likely  to  benefit  from  complete  rework.)  However, 
the  safety  branch  of  the  decision  diagram  will  also  lead  to  the  inclusion 
of  any  task  that  is  even  partially  effective  in  reducing  the  frequency  of 
loss  of  thrust;  hence  a larger  number  of  rework  tasks  directed  at  specific 
failure  modes  will  probably  be  included  on  this  basis. 

The  major  benefit  in  applying  RCM  decision  logic  to  in-service 
powerplants  is  that  it  facilitates  the  identification  of  significant  items, 
so  that  a natural  aging  process  can  be  established  which  minimizes 
the  need  for  scheduled  removals  or  disassemblies.  It  is  possible  that  the 
existing  opportunity-sampling  program  is  adequate  forage-exploration 
purposes,  but  if  there  is  any  doubt,  a new  list  of  significant  items  can 
be  developed  and  compared  with  the  present  list.  If  the  lists  are  the 
same,  there  may  be  no  need  for  further  RCM  analysis.  If  there  are 
only  slight  differences,  it  may  still  be  possible  to  adjust  the  sampling 
requirements  instead  of  undertaking  a complete  analysis.  Otherwise 
an  analysis  should  be  com  pleted  for  a sample  of  ten  or  so  random  signifi- 
cant items  to  judge  whether  further  effort  will  be  productive. 

The  existing  maintenance  program  for  the  General  Electric  J-79 
engine  on  the  McDonnell  F4J  was  reviewed  in  1975  by  MSG-2  tech- 
niques. The  review  did  not  result  in  a program  that  was  completely 
structured  by  RCM  logic,  but  major  cost  reductions  were  achieved 
nevertheless  by  program  revisions  which  greatly  reduced  the  amount 
of  ineffective  scheduled  maintenance  that  was  being  performed.  The 
engine  overhaul  interval  was  doubled,  from  1,200  hours  to  2,400  hours, 
with  a special  inspection  introduced  at  1,200  hours,  and  a number  of 
tasks  were  eliminated  from  the  hot-section  inspection  performed  every 
600  hours. 

STRUCTURE  PROGRAMS 

The  chief  benefit  in  the  review  of  an  existing  structure  program  is 
likely  to  be  a more  effective  application  of  maintenance  resources. 
For  example,  an  analysis  of  the  McDonnell  F4J  structure  identified  161 
items  as  structurally  significant,  in  contrast  to  only  97  in  the  original 
program.  Of  these  161  items,  141  were  scheduled  for  detailed  inspec- 
tions, whereas  the  prior  program  called  for  detailed  inspection  of  only 
66  items.  Some  of  the  additional  items  were  designated  as  significant 
to  focus  inspections  on  specific  parts  of  the  structure  in  which  failures 
would  be  critical,  and  others  were  so  designated  to  ensure  the  discovery 
of  early  deterioration  for  economic  reasons.  It  is  difficult  to  assess  the 
economic  impact  of  these  program  changes  because  there  were  many 


adjustments  of  inspection  intervals,  a recommendation  for  a more 
dynamic  age-exploration  program  to  reduce  future  costs,  and  a major 
refinement  of  the  zonal  inspection  program, 

12*5  EXPANSION  OF  RCM  APPLICATIONS 

The  widespread  and  successful  application  of  RCM  principles  in  the  objectives  of  a 
air-transport  industry  has  important  implications  for  many  types  of  maintenance  program 
complex  equipment  other  than  aircraft.  Rapid-transit  systems,  fleets  ,’SK  precepts 
of  ships  and  buses,  and  even  machinery  used  in  complex  manufactur- 
ing processes  all  require  scheduled-maintenance  programs  that  will 
ensure  safe  and  reliable  operation.  Many  of  the  current  problems  indi- 
cate that  the  relationship  between  design  and  maintenance  is  not  clearly 
understood.  In  many  instances,  however  the  operating  organizations 
themselves  have  not  considered  the  real  capabilities  and  limitations  of 
scheduled  maintenance  and  have  been  frustrated  by  their  inability  to 
solve  the  operating  problems  that  are  caused  by  failures. 

In  most  cases  the  equipment  will  not  be  designed  to  the  same 
standards  as  those  applied  to  commercial  aircraft.  There  is  usually  far 
less  use  of  redundancy  to  protect  essential  functions,  with  the  result 
that  any  one  of  a multitude  of  minor  failures  can  render  the  equipment 
incapable  of  operation.  There  is  also  less  instrumentation,  so  that  a 
greater  number  of  items  are  subject  to  hidden  failures,  and  therefore 
to  the  risk  of  a multiple  failure.  Parts  that  require  inspection  are  often 
not  accessible  or  have  not  been  designed  to  facilitate  the  detection  of 
potential  failures.  Under  these  circumstances  RCM  analysis  will  not 
produce  a magic  solution  to  all  reliability  problems.  However,  it  will 
identify  the  maintenance  tasks  and  product  improvements  that  would 
alleviate  such  problems.  Meanwhile,  it  will  result  in  a program  that 
ensures  all  the  reliability  ofwhich  the  equipment  is  capable  and  includes 
only  the  tasks  that  will  accomplish  this  goal. 

In  general,  any  maintenance  support  program  based  on  RCM  prin- 
ciples has  the  following  objectives: 

► To  ensure  realization  of  the  inherent  safety  and  reliability  levels 
of  the  equipment 

► To  restore  the  equipment  to  these  inherent  levels  when  deteriora- 
tion occurs 

► To  obtain  the  information  necessary  for  design  improvement  of 
those  items  whose  inherent  reliability  proves  to  be  inadequate 

► To  accomplish  these  goals  at  a minimum  total  cost,  including 
maintenance  costs,  support  costs,  and  the  economic  consequences 
of  operational  failures 
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One  obstacle  to  all  these  objectives  is  the  tendency  to  rely  on  traditional 
concepts  of  scheduled  maintenance,  especially  the  belief  that  scheduled 
overhauls  are  a universally  effective  weapon  against  failures.  Thus  an 
organization  must  recognize  and  accept  the  following  facts  before  it  is 
prepared  to  implement  a detailed  RCM  program  for  its  equipment: 

► The  design  features  of  the  equipment  establish  the  consequences 
of  any  functional  failure,  as  well  as  the  cost  of  preventing  it. 

► Redundancy  is  a powerful  design  tool  for  preventing  complete 
losses  of  function  to  the  equipment. 

► Scheduled  maintenance  can  prevent  or  reduce  the  frequency  of 
complete* losses  of  function  (functional  failures),  but  it  cannot 
alter  their  consequences. 

► Scheduled  maintenance  can  ensure  that  the  inherent  reliability  of 
each  item  is  realized,  but  it  cannot  alter  the  characteristics  of  the 
item. 

► There  is  no  "right  time"  for  scheduled  overhauls  that  will  solve 
reliability  problems  in  complex  equipment. 

► On-condition  inspections,  which  make  it  possible  to  preempt 
functional  failures  by  potential  failures,  are  the  most  effective  tool 
of  scheduled  maintenance. 

► A scheduled-maintenancc  program  must  be  dynamic;  any  prior- 
to-service  program  is  based  on  limited  information,  and  the  operat- 
ing organization  must  be  prepared  to  collect  and  respond  to  real 
data  throughout  the  service  life  of  the  equipment. 

► Product  improvement  is  a normal  part  of  the  development  cycle 
for  all  new  equipment. 

Until  an  operating  organization  is  comfortable  with  these  facts 
it  may  be  difficult  to  proceed  confidently  with  the  results  of  RCM 
analysis.  There  is  often  concern  because  hard-time  tasks  play  such  a 
minor  role  and  so  many  complex  items  have  no  scheduled-maintenance 
requirements.  In  this  case  an  organization  may  wish  to  reinforce  its 
confidence  in  the  new  approach  by  conducting  studies  similar  to  those 
discussed  in  Appendix  B.  The  now  RCM  program  will  always  result  in 
substantial  savings,  chiefly  through  the  elimination  of  unnecessary  and 
unproductive  maintenance  effort.  More  important,  however,  by  directing 
both  scheduled  tasks  and  intensive  age-exploration  activities  at  those 
items  whi  :h  are  truly  significant  at  the  equipment  level,  such  a program 
will  ultimately  result  in  equipment  that  provides  a degree  of  reliability 
consistent  with  the  state  of  the  art  and  the  capabilities  of  maintenance 
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auditing  rcm  program  development 


AN  RCM  ANALYSIS  is  conducted  by  experienced  maintenance  people,  and 
her  nfessional  expertise  is  one  of  their  most  valuable  assets.  This 
- ,ciaiized  experience  has  a corresponding  penalty,  in  that  it  tends  to 
create  certain  biases  which  make  objective  judgment  difficult.  The 
decision-making  process  therefore  requires  an  independent  review  by 
someone  who  is  not  directly  involved  in  the  analysis  — an  auditor,  who 
can  test  the  logic  of  the  decision  against  the  prescribed  criteria  and 
procedures  and  check  for  any  flaws  in  the  reasoning.  Although  the 
auditor's  own  judgments  may  not  be  comoletely  free  of  bias  or  error, 
the  fact  that  he  is  independent  of  the  detailed  analysis  provides  him 
with  a different  perspective.  Thus  the  audit  serves  as  a practical  tool 
for  identifying  some  of  the  common  errors  in  the  use  of  the  decision 
logic,  and  frequently  some  of  the  more  subtle  errors  as  well. 

In  the  air-transport  industry  the  auditing  function  is  performed  uy 
members  of  the  steering  committee,  which  also  has  overall  responsibility 
for  the  program-development  project  (see  Section  6.2).  Thus  the  auditors 
assigned  to  individual  working  groups  will  be  aware  of  the  scope  of  the 
project,  the  overlap  of  work  among  the  various  groups,  and  the  specific 
level  of  effort  needed  to  coordinate  their  activities.  Because  the  prob- 
lems and  focus  of  the  analysis  will  differ  from  one  group  to  another,  it  is 
difficult  to  offer  any  universal  guidelines.  However,  working  groups 
tend  to  stray  fiom  the  objective  of  developing  a set  of  applicable  and 
effective  scheduled  tasks,  and  it  is  important  for  the  auditor  to  be  able 
to  detect  this  and  help  keep  the  project  on  the  track. 

In  many  organisational  contexts  the  work  of  the  steering  committee 
and  the  overall  management  of  trr  project  are  themselves  subject  to 
audit,  to  ensure  that  the  work  will  proceed  efficiently  and  will  result  in 
the  intended  product.  Once  the  program  has  beer  developed  arid  pack- 
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aged  for  implementation,  a group  within  the  operating  organization 
will  be  -esponsible  for  collecling  and  analyzing  the  reliability  data 
needed  to  assess  its  effectiveness  and  evaluate  the  desirability  of  new 
tasks.  The  auditing  functions  in  these  two  areas  often  lequire  a different 
set  of  skills  and  experience  from  those  needed  to  review  the  detailed 
analysis  of  the  equipment.  In  all  cases,  however,  both  the  auditm  and 
the  program-development  team  will  require  a clear  understanding  of 
the  basic  concepts  outlined  in  this  volume. 


A • 1 AUDITING  THE  PROGRAM- 
DEVELOPMENT  PROJECT 

The  first  draft  of  r.n  RCM  program  is  generally  prepared  by  a special 
task  force  consisting  of  a steering  committee  and  several  working  groups. 

The  project  may  be  organized  and  managed  in  several  ways,  and  the 
auditor's  first  concern  is  whether  the  organization,  staffing,  and  working 
procedures  are  adequate  to  carry  out  the  project. 

SCOPE  or  THE  PROJECT 

To  ensure  that  the  finished  maintena  ice  program  will  be  accurate  and 
complete,  both  the  auditor  and  all  participants  in  the  project  must  have 
a clear  understanding  of  its  exact  scope.  In  some  cases  the  project  will 
encompass  ccrt-in  portio  is  of  the  equipment,  rather  than  the  entire 
aircraft.  In  either  case  it  is  important  to  know  whether  the  program  is 
to  cover  all  levels  of  maintenance,  from  servicing  tasks  and  waikaround 
checks  to  the  major-inspection  level.  It  is  difficult  to  design  a complete 
maintenance  program  for  only  a few  of  the  levels  of  maintenance,  even 
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if  the  program  is  for  just  one  p^-  nr.  the  equipment.  If  'he  project 
does  include  only  portions  of  the  at  'are  must  also  be  clear  pro- 
visions for  handling  items  that  interim  the  portions  that  are  not 

included.  Otherwise  the  resulting  confus.  vill  lead  almost  inevitably 
to  gaps  and  overlaps  in  the  total  program.  The  auditor  should  make  sure 
he  understands  the  scope  of  the  project  and  should  check  periodically 
to  see  that  it  is  not  expanding  beyond  its  intended  bounds. 

DEFINITION  OF  THE  FINAL  PRODUCT 

The  completed  scheduled-maintenance  program  consists  of  all  the 
scheduled  tasks  and  their  intervals,  but  the  exact  form  of  this  program 
must  also  be  specified.  Both  the  auditor  and  the  program-development 
team  must  know  whether  the  final  product  is  to  be  simply  a list  of  the 
RCM  tasks  and  intervals,  with  a brief  description  for  the  use  of  produc- 
tion planners,  or  whether  it  is  to  consist  of  a complete  set  of  work 
packages,  like  the  letter-check  packages  assembled  in  airline  practice.  In 
either  case,  the  definition  of  the  final  prodv.ct  should  specify  the  level 
of  task  detail  and  the  amount  of  descriptive  material  to  be  included. 
Will  the  procedures  writers  be  able  to  translate  the  results  of  the  analysis 
into  job  instructions  that  accurately  reflect  the  purpose  of  each  task?  For 
whom  is  the  final  report  intended?  Are  detailed  explanatory  writeups 
of  the  program  needed  as  part  of  the  package?  The  final  product  will 
have  to  be  checked  against  these  requirements  before  it  is  submitted, 
and  a clear  understanding  of  them  at  the  outset  will  facilitate  the  work 
of  the  analyst  and  auditor  alike. 


't 

if 
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TIMETABLE  FOR  THE  FRO|ECT 

The  timetable  developed  for  completion  of  various  aspects  of  the  project 
is  also  subject  to  audit.  Is  it  realistic  in  terms  of  the  amount  of  work  to 
be  accomplished,  the  number  of  analysts  assigned,  and  their  previous 
experience  with  RCM  analysis?  Are  the  milestones  at  logical  points  for 
adequate  control  of  the  schedule  — or  perhaps  overspecified,  so  that 
crucial  target  dates  are  likely  to  suffer?  Do  they  take  into  account  the 
fact  that  analysis  of  the  first  few  items  will  proceed  much  more  slowly 
as  part  of  the  learning  process?  It  is  apparent  from  these  questions  that 
the  timetable  must  be  reasonably  tight,  but  also  flexible  and  realistic. 

The  auditor  must  accomplish  his  own  work  within  this  timetable.  In 
most  cases  progress  reviews  will  be  conducted  when  the  overall  plan 
is  drafted,  wli  n the  program-development  team  has  been  organized 
and  trained,  when  each  working  group  has  agreed  on  a list  of  significant 
items  and  analysis  of  the  first  few  items  has  been  completed,  when  each 
major  portion  of  the  program  has  been  completed,  and  when  the  final 
product  has  been  assembled  and  is  ready  for  approval.  Additional  audits 
will  be  needed  between  these  check  points  to  review  progress  and 
clear  up  any  questions  or  misconceptions  in  the  analysis  itself.  Whtre 
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subsequent  work  depends  on  the  results  of  the  auditor's  review,  is  the 
review  timed  to  ensure  that  it  will  not  impede  other  aspects  of  the 
analyst's  work? 

THE  PROGRAM- DEVELOPMENT  TEAM 

In  addition  to  those  factors  that  relate  to  the  project  itself,  the  auditor 
must  also  consider  the  organization  of  the  program-development  team 
and  the  skills  of  the  people  who  comprise  it.  Whereas  the  analysts  will 
be  working  engineers  with  extensive  hardware  experience,  the  task 
force  should  be  headed  by  someone  with  managerial  experience,  and 
preferably  someone  who  has  had  experience  on  similar  projects.  Is  the 
manager  himself  knowledgeable  about  RCM  principles,  or  is  he  assisted 
by  someone  who  is?  Is  he  in  an  organizational  position  that  will  facili- 
tate completion  and  implementation  of  the  project?  To  what  extent  is 
the  project  supported  by  top  management? 

The  adequacy  of  the  staffing,  the  working  arrangements  among  the 
team  members,  and  the  availability  of  outside  resources  all  require 
careful  study.  Are  there  enough  people  to  do  the  work  in  the  time 
allotted  — and  not  too  many  to  work  closely  as  a team?  Are  the  analysts 
in  each  working  group  experts  in  the  portion  of  the  equipment  they  will 
be  analyzing?  Are  all  engineering  and  reliability  disciplines  represented 
or  available  for  consultation?  How  is  the  task  force  organized?  Does 
the  organization  provide  for  direct  interaction  among  members  of  the 
group,  or  are  there  organizational  obstacles  that  may  impede  communi- 
cation? Is  each  analyst  responsible  for  a complete  analysis,  or  are  various 
aspects  of  the  job  (researching  information,  completing  worksheets,  etc.) 
assigned  in  a way  that  makes  work  difficult  to  integrate?  What  arrange- 
ments have  been  made  for  the  analyst  to  obtain  help  from  outside 
resources  or  more  details  about  the  operation  and  construction  of  the 
equipment?  Is  the  designer  available  to  answer  questions  about  specific 
failure  modes  and  effects?  Is  there  someone  available  to  each  working 
group  who  has  an  extensive  knowledge  of  RCM  techniques?  The  auditor 
should  not  only  check  the  availability  of  these  resources,  but  also  deter- 
mine how  frequently  they  are  being  used. 

STANDARDS  AND  PROCEDURES 

One  important  function  of  the  steering  committee  (or  manager  of  the 
task  force)  is  to  arrange  for  training  of  all  participants.  This  includes 
general  familiarization  with  the  design  features  of  the  new  equipment, 
as  well  as  training  in  RCM  procedures  and  the  standards  to  be  used  for 
this  particular  project.  If  this  is  a large  project,  some  members  will 
require  more  training  than  others.  Has  each  member  of  the  task  force 
received  adequate  training  in  RCM  methods,  and  is  the  RCM  text  avail- 
able for  easy  reference?  Other  standards  that  apply  to  the  project  should 
also  be  available  in  written  form.  Does  each  analyst  have  a copy  of  the 


SECTION 


cost-tradeoff  models  to  be  used,  including  the  costs  imputed  by  this 
organization  to  various  types  of  operational  failures?  What  failure  rates 
or  repair  expenses  are  considered  high  enough  to  qualify  an  item  for 
analysis?  All  written  standards  and  procedures  should  be  checked  care- 
fully for  any  ambiguity  or  lack  of  clarity.  They  should  also  be  checked 
for  any  fundamental  conflicts  with  basic  RCM  concepts. 

Each  working  group  will  require  additional  detailed  training  on  the 
portion  of  the  equipment  to  be  analyzed.  Have  all  analysts  been  fur- 
nished with  written  materials,  schematics,  and  full  descriptions  of  the 
hardware  and  its  relationship  to  other  aspects  of  the  airplane?  Are 
reliability  data  available  for  similar  items,  either  from  developmental 
testing  or  from  service  experience?  Is  there  access  to  an  actual  production 
model  of  the  equipment  if  further  questions  arise? 

A • 2 AUDITING  THE  DECISION  PROCESS 

THE  SELECTION  OF  ITEMS  FOR  ANALYSIS 

Once  the  program-development  team  has  been  assembled,  organized, 
and  trained,  the  focus  of  auditing  shifts  to  the  analysis  process  itself. 
Ordinarily  this  phase  of  auditing  is  carried  out  by  a member  of  the 
steering  committee,  but  the  chief  prerequisite  is  a clear  understanding 
of  RCM  principles.  As  a preliminary  step  the  working  group  will  screen 
out  all  obviously  nonsignificant  items  and  complete  descriptive  work- 
sheets for  those  items  selected  for  analysis.  Thus  the  first  problem  may 
be  in  arriving  at  a common  definition  of  significant  item.  There  is  often 
a tendency  to  identify  items  as  significant  on  the  basis  of  their  cost 
and  complexity,  rather  than  on  the  basis  of  their  failure  consequences. 
It  is  important  that  all  members  of  the  group  understand  that  failure 
consequences  refers  to  the  direct  impact  of  a particular  loss  of  function 
on  the  safety  and  operating  capability  of  the  equipment,  not  to  the 
number  of  failure  possibilities  for  the  item  or  the  effect  of  these  failures 
on  the  item  itself. 

Another  area  that  may  require  clarification  is  the  definition  of 
operational  consequences.  If  the  minimum-equipment  list  or  other 
regulations  stipulate  that  the  equipment  cannot  be  dispatched  with 
an  item  inoperative,  the  item  is  always  classified  initially  as  one  whose 
failure  will  have  operational  consequences.  However,  the  actual  eco- 
nomic impact  will  vary  from  one  operating  context  to  another  and 
even  from  organization  to  organization,  depending  on  scheduled  use 
of  the  equipment,  maintenance  facilities,  the  ease  of  replacing  failed 
units,  and  a variety  of  other  considerations.  For  this  reason  it  is  necessary 
to  have  a clear  definition  of  the  circumstances  that  constitute  operational 
consequences  and  the  relative  costs  imputed  to  those  consequences 
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this  information  there  is  no  clear  basis  for  determining  whether  a given 
type  of  failure  would  have  major  economic  consequences  for  this  par- 
ticular organization. 

REVIEWING  THE  INFORMATION  WORKSHEETS 

Several  problems  m?y  come  to  light  when  the  completed  worksheet 
forms  are  examined.  One  of  these  is  the  design  of  the  worksheets  them- 
selves. Each  organization  will  have  its  own  preferences  about  forms, 
but  the  worksheets  must  cover  all  the  points  to  be  considered  in  the 
analysis.  Whenever  worksheets  are  redesigned  there  is  always  the 
danger  of  overlooking  some  of  the  basic  elements  or  introducing  "im- 
provements" that  reflect  misconceptions.  In  general  the  forms  should 
be  as  simple  as  possible  and  still  provide  an  adequate  record  of  the 
decision  process.  The  chief  criterion  is  that  each  task  be  completely 
traceable.  At  any  time,  either  during  or  after  analysis,  it  must  be  pos- 
sible to  start  with  any  function  and  trace  through  to  the  task  assigned 
to  protect  it  or  to  backtrack  from  a given  task  to  examine  the  reasoning 
that  led  to  it.  Obvious  omissions  can  often  be  spotted  from  an  examina- 
tion of  the  blank  forms,  but  more  subtle  difficulties  may  not  come  to 
light  until  the  first  few  worksheets  are  completed. 

Another  problem  — and  perhaps  the  single  most  important  error  for 
the  auditor  to  detect  — is  improper  definition  of  the  functions  of  an 
item.  Is  the  basic  function  stated  precisely  for  the  level  of  item  in 
question?  Does  it  relate  directly  to  some  higher-level  function  that  is 
essential  to  operating  capability?  If  not,  there  may  be  some  confusion 
about  the  level  of  item  under  discussion.  Have  all  secondary  or  charac- 
teristic functions  been  listed,  and  is  each  in  fact  a separate  function 
from  th  ■ standpoint  of  the  operating  crew  or  the  system  as  a whole?  Does 
the  list  include  all  hidden  functions  (again,  stated  in  terms  of  the  system 
as  a whole)?  If  there  are  failure  possibilities  with  no  related  function, 
this  is  a clue  that  the  functions  themselves  require  further  thought. 
For  example,  the  basic  function  of  a fuel  pump  is  to  pump  fuel;  however, 
if  this  item  is  also  subject  to  leaks,  one  additional  function  must  be  to 
contain  the  fuel  (be  free  of  leaks). 

It  is  important  to  bear  in  mind  that  the  level  of  item  being  analyzed 
will  affect  the  way  the  functions  are  described.  At  the  parts  level  each 
part  has  a function  with  respect  to  the  assembly  in  which  it  is  contained, 
but  a description  of  these  functions  leads  to  an  analysis  of  failures 
only  from  the  standpoint  of  the  assembly,  not  from  the  standpoint  of  the 
system  or  the  aircraft  as  a whole.  At  too  high  a level  the  number  of 
functions  and  failure  possibilities  may  be  too  great  for  efficient  analysis. 
One  test  is  to  select  a few  items  and  try  combining  them  or  dividing 
them  further  to  see  whether  this  changes  the  list  of  functions.  If  so, 
select  the  level  that  makes  the  analysis  most  efficient  but  still  includes 
all  the  functions  that  can  clearly  be  visualized  from  the  aircraft  level. 


The  statement  of  functional  failures  should  be  examined  carefully 
for  any  confusion  between  functional  failures  and  failure  modes.  This 
statement  must  describe  the  condition  defined  as  a functional  failure 
(a  loss  of  the  stated  function),  not  the  manner  in  which  this,  failure 
occurs.  There  is  often  a tendency  to  describe  a failure  such  as  external 
leaks  as  "leaking  oil  seal,"  with  the  result  that  other  failure  modes  that 
lead  to  external  leaks  may  be  overlooked,  or  else  erroneously  attributed 
to  some  other  function.  This  problem  is  often  a source  of  the  difficulty 
in  defining  the  item's  functions.  The  statement  describing  the  loss  of  a 
hidden  function  requires  particular  care  to  ensure  that  it  does  not  refer 
to  a multiple  failure.  For  example,  if  the  function  of  a check  valve  is  to 
prevent  backflow  in  case  of  a duct  failute,  the  functional  failure  in  this 
case  is  not  backflow,  but  no  protection  against  backflow.  Errors  in  this 
area  can  be  quite  subtle  and  difficult  to  spot,  but  they  frequently  lead 
to  confusion  about  the  failure  consequences. 

The  identification  of  failure  modes  is  another  problem  area.  Do  the 
worksheets  list  failure  modes  that  have  never  actually  occurred?  Are 
the  failure  modes  reasonable  in  light  of  experience  with  similar  equip- 
ment? Have  any  important  failure  modes  been  overlooked?  In  this  area 
the  auditor  will  have  to  rely  on  his  own  general  engineering  background 
to  identify  points  on  which  further  consultation  with  the  designer  or 
other  specialists  is  advisable.  One  problem  to  watch  for  is  superfici- 
ality — failure  modes  that  are  not  the  basic  cause  of  the  failure.  Another  is 
the  tendency  to  list  all  possible  failure  modes,  regardless  of  their  like- 
lihood. This  resul’.r  in  a great  deal  of  unnecessary  analysis  and  the 
possible  inclusion  of  unnecessary  tasks  in  the  initial  program. 

Just  as  failure  modes  mav  slide  back  into  the  description  of  func- 
tional failures,  they  also  tend  to  slide  into  the  description  of  failure 
effects.  Thus  one  point  to  watch  for  is  a description  of  failure  effects 
that  relate  to  the  cause  of  the  failure,  rather  than  to  its  immediate  results. 
Again,  the  failure  mode  "leaking  oil  seal"  will  sometimes  be  stated  as  a 
failure  effect  (perhaps  with  "oil-seal  failure"  given  as  the  failure  mode). 
This  is  a subtle  error,  but  it  obscures  the  effect  of  the  functional  failure 
in  question  on  the  equipment  and  its  occupants. 

The  description  of  failure  effects  must  include  all  the  information 
necessary  to  support  the  analyst's  evaluation  of  the  failure  consequences. 
Does  the  statement  include  the  physical  evidence  by  which  the  operating 
crew  will  recognize  that  a failure  has  occurred  — or  if  there  is  none  (a 
hidden  failure),  is  this  fact  mentioned?  Are  the  effects  of  secondary 
damage  stated,  as  well  as  the  effects  of  a loss  of  function,  and  is  it  clear 
from  the  description  whether  or  not  the  secondary  damage  is  critical? 
Is  the  description  stated  in  tenns  of  the  ultimate  effects  of  the  failure 
with  no  preventive  maintenance?  In  the  case  of  hidden  functions  the 
ultimate  effects  will  usually  represent  the  combined  effects  of  a possible 


multiple  failure.  This  information  helps  to  establish  the  intensity  of 
maintenance  required  to  protect  the  hidden  function;  however,  it  must 
be  clear  from  the  description  that  these  effects  are  not  the  immediate 
result  of  the  single  failure  under  consideration, 

The  failure  effects  should  be  examined  to  ensure  that  they  do  not 
represent  overreaction  by  inexperienced  analysts.  At  the  other  extreme, 
there  is  a possibility  that  serious  effects  may  have  been  overlooked 
where  the  equipment  cannot  be  shown  to  be  damage-tolerant  for  certain 
types  of  failures.  In  either  case  the  effects  stated  — including  secondary 
damage— must  be  a direct  result  of  the  single  failure  in  question,  and 
not  effects  that  will  occur  only  in  conjunction  with  some  other  failure 
or  as  a result  of  possible  pilot  error.  As  with  hidden-function  items, 
protection  against  multiple  failures  is  provided  for  in  the  decision 
logic  by  independent  analysis  of  each  single  failure  possibility. 

CLASSIFICATION  OF  FAILURE  CONSEQUENCES 

The  first  three  questions  in  the  decision  logic  identify  the  consequences 
of  each  type  of  failure,  and  hence  the  branch  of  the  decision  diagram 
in  which  proposed  tasks  are  to  be  evaluated.  The  answers  to  these 
questions  therefore  warrant  special  attention  during  auditing  to  ensure 
that  the  tasks  have  been  measured  against  the  correct  effectiveness 
criterion.  The  basis  for  each  answer  should  be  clearly  traceable  to  the 
information  recorded  on  the  descriptive  worksheet. 

There  are  several  common  problems  in  identifying  hidden  func 
tions.  The  first  matter  to  be  ascertained  concerns  the  use  of  the  decision 
diagram  itself.  Has  the  evident-failure  question  been  asked,  not  for 
the  item,  but  for  each  of  its  functions?  If  not,  the  answer  may  be  true 
only  for  the  basic  function,  and  other  functions  will  be  analyzed 
according  to  the  wrong  criteria.  And  if  the  basic  function  of  the  item 
happens  to  be  evident,  hidden  functions  that  require  scheduled  tasks 
may  be  overlooked.  Another  common  error  is  the  tendency  to  overlook 
cockpit  instrumentation  as  a means  of  notifying  the  operating  crew  of 
malfunctions  that  would  otherwise  not  be  evident.  An  error  that  is  more 
difficult  to  spot  is  the  identification  of  a replicated  function  in  an  active 
system  as  evident  when  a failure  would  in  fact  not  become  evident  until 
both  units  failed. 

Have  the  hidden  functions  of  emergency  items,  such  as  ejection- 
seat  pyrotechnics  and  stored  oxygen,  been  overlooked?  Hidden-function 
items  with  built-in  test  equipment  may  be  improperly  identified  as 
having  evident  functions  because  failure-finding  tasks  are  performed 
by  the  operating  crew.  S;milarly,  items  whose  loss  of  function  is  evident 
during  normal  use  may  be  mistakenly  classified  as  hidden  function 
items  simply  because  they  are  not  used  during  every  flight.  (In  this 
case  the  failure-reporting  system  may  have  to  be  supplemented  by 
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maintenance  checks  to  ensure  continued  availability,  but  the  analysis 
of  this  function  does  not  fall  in  the  hidden-function  branch.) 

Answers  to  the  safety  questions  may  reflect  some  misconceptions 
about  the  definition  of  a critical  failure.  Has  a failure  been  identified 
as  critical  (or  for  that  matter,  as  evident)  on  the  basis  of  multiple- 
failure  consequences,  rather  than  the  consequences  of  a single  failure? 
Has  it  been  identified  as  critical  because  it  requires  immediate  corrective 
maintenance  — that  is,  it  has  operational  (but  not  safety)  consequences? 
Has  the  analyst  taken  into  account  redundancy  and  fail-safe  protection 
that  prevent  a functional  failure  from  being  critical?  One  problem  that 
requires  special  attention  is  the  failure  to  identify  secondary  damage 
as  critical  when  the  aircraft  cannot  be  shown  to  be  damage-tolerant  in 
this  respect. 

Answers  to  the  operational-consequences  question  should  be 
checked  for  any  inconsistencies  with  the  minimum-equipment  list 
(MEL)  and  the  configuration-deviation  list  (CDL).  The  auditor  should 
watch  for  tendencies  to  interpret  failures  that  are  expensive  to  repair 
as  having  operational  consequences,  or  to  ascribe  operational  conse- 
quences to  failures  that  inconvenience  the  operating  crew  but  do  not 
limit  the  operating  capability  of  the  equipment  in  any  way.  In  some 
cases  operating  restrictions  associated  with  continued  operation  after 
the  occurrence  of  a failure  may  be  overh  oked  as  operational  conse- 
quences. If  they  have  also  been  overlooked  in  the  statement  of  failure 
effects,  they  should  be  added  to  the  information  worksheet. 

A no  answer  to  question  3 means  that  the  failure  in  question  has 
only  nonoperational  consequences,  and  that  function  need  not  be  pro- 
tected by  scheduled  tasks  in  an  initial  program.  If  the  item  is  subject 
to  a particularly  expensive  fai’ure  mode,  it  will  ordinarily  be  assigned 
to  intensive  age  exploration  to  determine  whether  scheduled  main- 
tenance will  be  cost-effective.  At  this  stage,  however,  any  task  analysis 
that  falls  in  the  third  branch  of  the  decision  diagram  is  subject  to  chal- 
lenge by  the  auditor  and  must  be  supported  by  a cost-tradeoff  study 
based  on  operating  data  for  the  same  or  a similar  item. 

All  answers  to  the  first  three  decision  questions  should  be  examined 
in  detail,  at  least  for  the  first  few  items  completed  by  each  analyst. 
Even  experienced  analysts  will  have  to  refer  to  the  RCM  procedures  to 
refresh  their  memories  on  certain  points,  and  the  auditor's  review  of 
this  aspect  of  the  decision  logic  is  essential  not  only  to  correct  errors, 
but  to  ensure  that  the  analyst  fully  understands  the  nature  of  the 
questions.  Misconceptions  in  this  area  are  often  evidenced  by  attempts 
to  revise  the  decision  diagram  to  overcome  some  apparent  shortcoming. 
So  far  such  revisions  have  proved  to  stem  from  an  incomplete  under- 
standing of  RCM  concepts,  rather  than  from  deficiencies  in  the  diagram. 
The  auditor  should  therefore  be  alert  to  this  tendency  and  make  sure 
that  the  decision  diagram  has  not  been  altered. 


TASK  SriECTIONi  APPLICABILITY  CRITERIA 

The  answers  to  the  remaining  decision-diagram  questions  represent 
the  evaluation  of  proposed  tasks.  The  most  important  point  for  the 
auditor  to  determine  here  is  that  the  analyst  understands  the  relative 
resolving  power  of  the  four  basic  types  of  task  and  the  specific  condi- 
tions under  which  each  type  of  task  is  applicable.  One  frequent  error  in 
evaluating  an  on-conditioi.  task  is  the  failure  to  recognize  all  the  appli- 
cability criteria.  If  the  task  is  merely  an  inspection  of  the  general 
condition  of  the  item  and  is  not  directed  at  a specific  failure  mode,  it 
does  not  constitute  an  on-condition  task.  The  failure  mode  must  also  be 
one  for  which  it  is  possible  to  define  a potential-failure  stage,  with  an 
adequate  and  fairly  predictable  interval  for  inspection.  Another  error  is 
extending  the  task  to  include  the  detection  of  functional  failures  (as 
defined  for  the  level  of  item  being  analyzed);  the  objective  of  an  on- 
condition  task  is  to  remove  units  from  service  before  the  functional- 
failure  point. 

It  is  important  to  evaluate  proposed  on-condition  tasks  in  terms  of 
their  technical  feasibility.  The  failure  mode  may  be  one  for  which  on- 
condition  inspection  is  applicable,  but  is  tire  item  accessible  for  inspec- 
tion? Is  the  task  one  that  is  feasible  within  the  maintenance  framework 
of  the  organization?  Working  groups  often  suggest  inspection  tech- 
niques that  are  still  in  the  developmental  state  or  recommend  methods 
that  are  feasible  in  theory  but  have  not  been  tested.  In  the  case  of 
critical  failure  modes  this  may  be  necessary,  but  it  is  equally  likely  that 
redesign  would  eliminate  the  need  for  the  task,  and  both  alternatives 
should  be  investigated.  Does  each  inspection  task  include  the  specific 
evidence  the  mechanic  is  to  look  for?  If  not,  the  procedure  writers  may 
have  difficulty  converting  the  task  to  the  proper  job  instruction,  espe- 
cially when  t'  e task  is  a visual  inspection. 

If  a rework  task  has  been  specified,  have  the  age-reliability  charac- 
teristics of  the  item  been  established  by  actuarial  analysis?  Does  the 
conditional-probability  curve  show  wearout  characteristics  at  an  identi- 
fiable age  and  a high  probability  of  survival  to  that  age?  Is  the  failure 
mode  one  for  which  rework  will  in  fact  restore  the  original  resistance  to 
failure?  The  auditor  should  be  prepared  to  question  assumptions  that 
the  item  under  study  will  prove  to  have  the  same  reliability  characteris- 
tics as  a similar  item  that  was  shown  to  benefit  from  scheduled  rework. 
If  there  is  reason  to  believe  that  scheduled  removals  for  rework  will  be 
of  value,  is  there  a cost-effective  interval  for  this  task?  Has  the  item 
been  assigned  to  age  exploration  to  obtain  the  necessary  information? 

The  only  discard  tasks  that  should  appear  in  an  initial  program  are 
for  items  that  have  been  assigned  life  limits  by  tire  manufacturer.  How- 
ever, there  is  sometimes  confusion  about  the  difference  between  safe-life 
limits  and  other  age  limits.  Does  the  safe-life  limit  represent  a zero 
conditional  probability  of  failure  up  to  that  age?  Is  the  limit  supported 
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by  manufacturer's  test  data?  If  the  task  interval  instead  represents  the 
average  age  at  failure,  it  is  incorrect.  Safe-life  tasks  are  applicable  only 
to  items  subject  to  critical  failures;  hence  they  should  appear  only  in 
the  safety  branch  of  the  decision  diagram.  The  life  limits  assigned  to 
hidden-function  emergency  items  - which  are  not  in  themselves  subject 
to  critical  failures -are  adjusted  on  the  basis  of  failure-finding  tests  and 
in  the  strict  sense  are  not  safe-life  limits.  The  auditor  should  question 
any  safe-life  discard  tasks  that  are  not  supported  by  on-condition  in- 
spections (where  possible)  to  ensure  that  the  safe-life  age  will  be 
achieved. 

There  are  several  pitfalls  to  watch  for  in  auditing  failure-finding 
tasks.  One  is  the  failure  to  recognize  that  these  tasks  are  the  result  of 
default -that  is,  they  are  the  outcome  of  all  no  answers  in  the  hidden- 
function  branch  of  the  decision  diagram.  Another  problem  is  failure 
to  recognize  that  these  tasks  are  limited  to  the  detection  of  functional 
failures,  not  potential  failures.  The  intervals  for  such  tasks  should  be 
examined  for  mistaken  assumptions  concerning  the  required  level  of 
availability.  Does  the  level  of  availability  properly  reflect  the  conse- 
quences of  a possible  multiple  failure?  Has  the  analyst  overlooked  the 
fact  that  the  interval  is  based  only  on  the  required  availability  of  the 
hidden  function  itself?  Have  failure-finding  tasks  covered  by  routine 
crew  checks  been  accounted  for  on  the  decision  worksheets? 

TASK  SELECTION)  EFFECTIVENESS  CRITERIA 

It  is  important  to  remember  that  the  applicability  criteria  for  tasks  per- 
tain only  to  the  type  of  task  and  are  true  for  that  task  regardless  of  the 
nature  of  the  failure  consequences.  The  effectiveness  criteria,  however, 
depend  on  the  objective  of  the  task  — the  category  of  failure  consequences 
it  is  intended  to  prevent- regardless  of  the  nature  of  the  task.  Thus 
the  expected  resolving  power  of  a particular  task  can  be  measured  only 
in  terms  of  the  effectiveness  criterion  for  the  branch  of  the  decision 
diagram  in  which  the  failure  is  being  analyzed. 

Some  practical  problems  often  come  up  in  interpreting  the  effective- 
ness criterion  for  the  safety  branch.  Do  the  tasks  and  intervals  selected 
have  a reasonable  chance  of  preventing  all  critical  failures?  If  not,  what 
is  the  basis  for  judging  that  the  remaining  risk  level  is  acceptable?  It  is 
important  in  this  connection  to  bear  in  mind  the  resolving  power  of  the 
different  types  of  tasks.  On-condition  tasks  provide  control  of  individual 
units  and  therefore  have  a good  chance  of  preventing  all  functional  fail- 
ures if  the  inspection  interval  is  short  enough;  in  contrast,  age-limit  tasks 
(scheduled  removals)  merely  control  the  overall  failure  rate  for  the  item. 
The  auditor  should  therefore  question  the  decision  outcome  of  scheduled 
rework  in  the  safety  branch,  because  a reduction  in  the  failure  rate  is 
unlikely  to  reduce  the  risk  of  failure  to  an  acceptable  level.  What  is  the 
policy  or  procedure  for  items  for  which  no  applicable  and  effective 


360  APPENDICES 


tasks  can  be  found?  Is  there  an  established  procedure  for  referring  them 
back  for  redesign?  Is  there  provision  for  a review  with  the  designer  prior 
to  any  such  referrals?  . . 

For  tasks  in  the  operational-consequences  branch  the  only  criterion 
for  effectiveness  is  cost  effectiveness.  Does  the  analysis  show  the  basis 
for  detennining  that  the  task  will  be  cost-effective?  What  costs  are 
imputed  to  the  operational  consequences,  and  what  is  the  source  of 
these  costs?  Is  the  number  of  operational  interruptions  shown  in  the 
analysis  realistic?  Is  the  expected  reduction  in  this  number  as  a result 
of  the  proposed  task  based  on  real  data,  or  at  least  real  data  fora  similar 
item? 

Cost  effectiveness  is  far  more  difficult  to  justify  in  the  nonopera- 
tional-consequences  branch,  if  a task  has  been  assigned,  what  is  the 
basis  for  the  cost-tradeoff  analysis?  Does  the  analysis  erroneously  attri- 
bute imputed  costs  of  operational  interruptions  to  these  failures?  If  it 
includes  any  savings  beyond  the  cost  of  correcting  the  failure  and  its 
resulting  secondary  damage,  the  cost  analysis  is  incorrect. 

In  the  hidden-function  branch  a proposed  task  must  ensure  the 
level  of  availability  necessary  to  reduce  the  risk  of  a multiple  failure 
to  an  acceptable  level.  Is  there  a policy  concerning  this  risk  level  that 
can  In  used  to  interpret  adequate  availability?  Does  the  policy  differen- 
tiate between  items  on  the  basis  of  the  consequences  of  the  multiple 
failure? 

USE  OE  THE  DEFAULT  STRATEGY 

In  any  initial  program  the  decision  paths  will  reflect  default  answers. 

Thus  the  analyst's  use  of  the  default  strategy  should  also  be  audited. 

Have  failures  which  may  or  may  not  be  evident  to  the  operating  crew 
always  been  classified  as  hidden  ? Where  it  cannot  be  demonstrated  that 
any  anticipated  secondary  damage  will  not  be  critical,  has  the  failure 
been  assigned  to  the  safety  branch?  Have  any  opportunities  been  over- 
looked to  assign  on-condition  inspections  that  may  be  partially  effective 
in  preempting  functional  failures?  1 lave  all  items  for  which  the  necessary 
information  was  unavailable  been  assigned  to  age  exploration?  In 
checking  the  analyst’s  understanding  of  the  default  strategy,  the  auditor 
may  encounter  some  instances  of  overuse.  Have  default  answers  been 
used  when  real  and  applicable  data  for  the  item  are  in  fact  available  as 
the  basis  for  a tirm  decision? 

GENERAL  USE  OF  THE  DECISION  LOGIC 

After  examining  individual  aspects  of  the  decision  logic,  the  auditor 
must  review  the  results  of  the  analysis  in  larger  perspective.  Has  every 
task  been  assigned  through  direct  application  of  the  decision  logic?  One 
major  problem  is  the  tendency  to  select  a familiar  maintenance  task  and 

then  work  back  through  the  decision  logic  to  justify  it.  This  handicaps  SECTION  A*l  3bl 
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the  analysis  in  two  ways:  on  one  hand,  more  of  the  tasks  tend  to  stay 
justified,  and  on  the  other,  the  possibilities  of  new  tasks  are  not  ex- 
plored. Some  analysts  may  have  a strong  preference  for  rework  tasks 
and  will  specify  them  whether  they  are  applicable  or  not.  Others  will 
favor  on-condition  inspections  under  any  and  all  circumstances. 

The  auditor  should  look  for  signs  of  individual  bias  during  the 
progress- review  meetings,  and  by  actually  counting  the  numbers  of  each 
type  of  task  selected  by  the  various  analysts.  If  there  are  more  than  a 
dozen  rework  tasks  foi  vne  entire  systems  division  of  a new  type  of 
airplane,  the  results  of  the  analysis  should  be  questioned.  It  is  also 
important  to  ch«_  1 the  disposition  of  items  that  have  no  scheduled 
tasks.  Is  the  number  disproportionately  high  or  low?  Have  items  whose 
failures  have  neither  safety  nor  operational  consequences  been  reclass- 
ified as  nonsignificant? 

The  worksheets  and  all  supporting  information  should  be  assem- 
bled for  each  item,  usually  with  a cover  sheet  summarizing  all  the  tasks 
and  intervals.  After  this  material  has  been  audited  for  accuracy  and 
completeness,  and  revised  or  corrected  as  necessary,  the  auditor  should 
sign  or  initial  the  list  of  tasks  as  final  approval. 


A • 3 AUDITING  ANALYSIS  OF  THE  EQUIPMENT 

The  auditing  principles  discussed  thus  far  apply  to  all  divisions  of  the 
equipment.  However,  ee  hof  the  major  divisions  — systems,  powerplant, 
and  structure  — has  certain  features  that  pose  specific  problems  during 
analysis. 

ANALYSIS  OF  SYSTEMS  ITEMS 

The  chief  difficulty  in  analyzing  systems  items  is  confusion  about  the 
approp->  w of  analysis  and  the  functions  of  the  specific  item 

under  consideration.  Does  the  list  of  significant  items  consist  of  systems 
and  subsystems,  oerhaps  with  a few  of  the  more  important  complex 
assemblies?  If  more  th  in  500  systems  items  have  been  classified  as 
significant  at  the  aircraft  level,  the  list  is  probably  too  long,  and  if  there 
are  fewer  than  200,  ii  may  be  too  short.  If  any  subsystem  includes  more 
than  half  a dozen  functionally  significant  items,  their  classification 
should  be  reexamined. 

Another  problem  is  finding  the  dividing  line  between  one  system 
and  another.  Have  the  working  groups  agreed  on  the  list  of  significant 
items  and  the  specific  hardware  each  analysis  will  cover?  Does  the  pro- 
cedure allow  for  later  revisions  as  each  group  gets  into  the  details? 
Working  groups  will  occasionally  overlook  a significant  item  or  a 
hidden  function.  The  auditc  r should  check  for  this  by  scanning  the  list  of 
items  classified  as  nonsignificant  and  questioning  any  that  are  doubtful. 
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Several  questions  will  come  up  in  examining  the  list  of  functions 
for  each  item,  Is  the  basic  function  correctly  stated  for  the  system  level 
represented  by  the  worksheet?  (is  the  system  level  clearly  indicated  on 
the  worksheet?)  How  does  the  analyst  know  that  all  the  functions  have 
been  listed?  Does  each  functional  failure  have  at  least  one  failure  mode, 
and  are  the  failure  modes  all  real  and  possible?  Do  the  failure  effects 
reflect  the  complete  impact  of  each  type  of  failure  on  the  rest  of  the 
equipment?  It  pays  to  play  "what  if"  with  the  analyst  for  a sample  of 
failure  possibilities  to  determine  whether  he  has  analyzed  the  item  in 
sufficient  depth. 

In  auditing  the  tasks  assigned  to  the  item  the  auditor  should  check 
to  see  that  on-condition  inspections  are  generally  limited  to  installed 
items.  There  is  a tendency  to  specify  shop  inspections  for  systems  items 
simply  because  they  will  be  in  the  shop  often,  which  may  unnecessarily 
increase  the  workload.  Any  rework  tasks  must  be  substantiated  by 
actuarial  analysis.  Does  this  analysis  show  that  scheduled  rework  will 
in  fact  improve  the  reliability  of  the  item?  Rework  is  not  cost-effective 
for  many  systems  items  even  when  their  failures  are  age-related.  If  a 
rework  task  is  applicable,  has  a cost-effective  interval  been  found? 

Are  discard  tas  , specified  only  for  the  few  systems  items  to  which 
the  manufacturer  has  assigned  life  limits?  Are  safe-life  limits  supported, 
where  possible,  by  shop  inspections  of  opportunity  samples  for  corro- 
sion or  other  damage?  Do  failure-finding  tasks  scheduled  for  installed 
systems  items  duplicate  either  shop  inspections  or  routine  crew  checks? 
Where  such  tasks  are  added  to  crew  duties,  what  consideration  has  been 
given  to  the  present  workload  of  the  operating  crew?  What  provisions 
have  been  made  for  evident  functions  that  the  analyst  knows  will  not  be 
used  regularly  in  the  intended  operating  context? 

ANAL'.  US  OF  POWERPLANT  ITEMS 

In  auditing  a powerplant  program  it  is  important  to  know  exactly  what 
the  powerplant  includes.  In  some  cases  the  analysis  covers  only  the 
basic  engine;  in  others  it  includes  all  the  quick-engine-change  parts. 
If  this  has  not  been  determined,  some  key  items  may  escape  analysis. 
Certain  problems  will  be  a matter  of  coordination.  Was  the  systems 
analysis  of  essential  engine  accessories  far  enough  along  to  be  taken 
into  account  by  the  powerplant  analysts?  Did  thev  have  access  to  the 
structural  analyses  of  the  engine  mounts  and  cowling?  How  do  the  fail- 
ure possibilities  for  these  items  affect  the  basic  engine? 

The  engine  itself  is  subject  to  a number  of  failure  modes  that  involve 
secondary  damage.  Whether  or  not  this  damage  is  critical,  however, 
depends  on  both  the  model  of  engine  and  the  type  of  airplane.  Does 
the  working  group  have  a complete  understanding  of  the  specific  de- 
sign characteristics  of  this  engine?  The  Mi  lure  effects  require  particularly 
careful  auditing.  Has  the  analyst  considered  the  ultimate  effects  in  the 
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absence  of  any  preventive  maintenance,  or  does  the  description  pre- 
suppose that  progressive  failure  modes  will  be  halted  before  they  reach 
the  critical  stage?  Will  a failure  mode  that  would  otherwise  be  critical 
in  fact  be  preempted  by  a noncritical  loss  of  function?  Where  the  failure 
evidence  depends  on  cockpit  instrumentation,  what  instrument  indica- 
tions are  evidence  of  this  particular  type  of  failure  ’ 

Unless  the  engine  is  installed  in  a single-engine  plane,  an  engine 
failure  that  does  not  involve  critical  secondary  damage  does  not  have 
safety  consequences.  Have  evident  failures  been  properly  placed  in  the 
operational-consequences  branch  of  the  decision  diagram? 

Safe-life  items  must  be  covered  by  discard  tasks,  but  most  of  the 
tasks  in  an  initial  powerplant  program  will  be  on-condition  inspections. 
Have  these  inspections  been  assigned  to  installed  engines  whenever 
possible,  to  avoid  the  need  for  engine  removals?  Are  they  limited  to 
known  problem  areas,  with  the  remaining  on-aircraft  inspection  capabil- 
ity reserved  for  troubleshooting  and  later  scheduled  tasks  if  necessary? 
The  intervals  for  inspections  on  installed  engines  should  be  specified  in 
operating  hours  or  flight  cycles,  whereas  shop  inspections  of  internal 
engine  items  should  be  scheduled  to  take  advantage  of  opportunity 
samples.  Have  any  shop  inspections  been  specified  in  a way  that  will 
require  scheduled  removals  or  unnecessary  disassembly  to  reach  a single 
part? 

The  entire  age-exploration  program  for  the  powerplant  should  be 
reviewed.  Does  it  include  procedures  for  increasing  task  intervals  on 
the  basis  of  inspection  findings?  Does  it  provide  for  inspection  of  the 
oldest  parts  available  on  an  opportunity  basis,  without  special  dis- 
assembly for  age-exploration  purposes?  Does  it  include  threshold  limits, 
or  a similar  plan,  to  allow  the  removal  of  most  units  from  service  at  or 
before  the  upper  limit  without  special  engine  removals?  If  any  of  these 
features  are  missing,  that  aspect  of  the  age-exploration  plan  should  be 
questioned. 

ANALYSIS  OF  THE  STRUCTURE 

Auditing  of  the  structure  program  consists  of  a review  of  the  ratings 
and  class  numbers  used  to  establish  the  initial  inspection  interval  for 
each  structurally  significant  item.  Both  the  auditor  and  the  analysts  must 
have  a clear  understanding  of  the  difference  between  damage-tolerant 
and  safe-life  structure,  the  rating  factors  that  apply  in  each  case,  the  basis 
for  rating  each  factor,  and  the  basis  for  converting  the  final  class  number 
into  an  inspection  interval.  Some  members  of  the  working  group  may 
have  more  difficulty  than  others  in  grasping  the  distinction  between 
resistance  to  failure  and  residual  strength.  Are  all  members  of  the 
working  group  using  the  same  definition  of  fatigue  life,  and  are  the 
manufacturer's  data  expressed  in  these  terms?  Was  the  conversion  of 
test  data  into  safe-life  limits  based  on  an  adequate  scatter  factor? 
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The  definition  of  a structurally  significant  item  is  one  of  the  most 
important  aspects  of  the  analysis.  Is  the  basis  for  this  definition  clearly 
understood  by  the  working  group?  Are  the  significant  items  generally 
confined  to  primary  structure,  or  is  needless  effort  being  devoted  to 
evaluation  of  much  of  the  secondary  structure  as  well?  Has  adequate 
consideration  been  given  to  the  possibility  of  multiple  failures  at  the 
same  site?  If  the  designations  are  correct,  most  of  the  significant  items 
will  represent  small  localized  areas,  rather  than  whole  structural  mem- 
bers; otherwise  each  item  will  require  much  more  inspection  time  in  the 
continuing  program.  Has  the  manufacturer's  engineering  department 
participated  in  the  identification  of  significant  items?  No  one  else  is  in 
a position  to  identify  the  structural  elements  most  susceptible  to  fatigue 
failure  and  the  effect  of  such  failures  on  the  strength  of  the  assembly. 

If  the  structure  includes  any  new  material  or  man  'acturing  pro- 
cesses or  is  to  be  operated  under  any  new  conditions,  the  inspection 
intervals  will  be  far  more  conservative.  Even  with  familiar  materials  and 
conditions,  however,  the  test  data  must  be  data  for  this  production 
model.  Is  a fatigue  test  being  conducted  for  the  whole  structure,  and 
will  preliminary  results  be  available  in  time  for  use  in  developing  the 
initial  prog-ant?  Will  inspection  findings  and  any  failure  data  from  the 
flight-test  program  be  available?  The  fatigue  data  should  be  examined 
to  determine  whether  the  flight-load  profile  is  realistic.  The  usual  test 
method  is  flight  cycles;  is  the  conversion  to  operating  hours  realistic  for 
the  intended  operating  environment? 

While  structural  strength  and  fatigue  life  are  the  manufacturer's 
responsibility,  the  operating  organization  is  concerned  in  these  matters 
as  well.  The  working-group  members  must  therefore  have  enough 
information  about  the  design  and  the  test  results  to  be  able  to  evaluate 
and  question  the  manufacturer's  maintenance  recommendations.  One 
point  the  auditor  should  check  at  an  early  stage  is  whether  there  is 
adequate  interaction  between  the  manufacturer's  and  the  operator's 
representatives  to  provide  for  full  participation  by  all  members.  Before 
work  begins  there  must  be  general  agreement  on  the  basis  for  the 
selection  of  significant  items  and  the  basis  on  which  each  factor  will 
be  rated.  A sample  of  structurally  significant  items  and  their  ratings 
should  be  audited  to  make  sure  they  correspond  to  this  agreement 
before  significant  items  are  selected  for  the  whole  structure.  Do  the 
ratings  give  proper  recognition  to  areas  prone  to  corrosion  as  a result 
of  their  location?  Has  external  detectability  heen  properly  considered? 
What  was  the  basis  for  converting  class  numbers  to  intervals?  Are  the 
intervals  similar  to  those  in  current  use  for  other  aircraft? 

The  number  of  structurally  significant  items  on  an  airplane  will 
depend  on  the  size  of  the  airplane,  the  size  of  the  area  designated  as 
significant,  and  in  some  cases  on  the  number  of  ways  it  can  be  accessed. 
Has  the  exact  location  of  each  significant  item  been  clearly  designated? 
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Have  photographs  been  provided  which  show  the  designated  items?The 
working  group  should  verify  the  entire  list  of  significant  items  by  in- 
spection of  an  airplane  in  its  fully  assembled  configuration.  Some  items 
assigned  visual  inspection  may  in  fact  be  hidden  beneath  other  struc- 
tural elements  or  behind  installations.  In  this  case  x-ray  inspection 
may  have  to  be  specified,  or  some  other  approach  to  the  area  may  have 
to  be  employed  for  this  significant  item.  The  tasks  themselves  should 
be  audited  to  ensure  that  the  inspection  plan  as  a whole  does  not  include 
unnecessarily  expensive  or  sophisticated  techniques.  Is  x-ray  inspection, 
for  example,  limited  to  areas  in  which  it  is  known  to  be  useful,  or  are 
all  items  covered  in  the  hope  that  it  will  prove  useful? 

The  basic  inspection  plan  covers  only  structurally  significant  items. 
However,  it  will  be  supplemented  by  general  inspections  of  nonsig- 
nificant structure  as  part  of  the  zonal  program,  preflight  walkaround 
inspections,  and  general  inspections  of  the  external  structure.  The 
structure  program  should  therefore  be  reviewed  in  connection  with 
these  other  programs,  both  for  any  obvious  conflicts  and  to  ensure 
that  all  nonsignificant  portions  of  the  structure  have  been  accounted 
for.  Has  external  structure  that  is  not  visible  from  the  ground  been  taken 
into  account?  Do  the  inspections  assigned  to  structural  elements  in 
systems  and  powerplant  items  take  into  account  the  other  inspection 
requirements  of  these  items? 


NON-RCM  PROGRAM  ELEMENTS 

The  zonal  inspection  program  should  be  audited  to  ensure  that  all 
zones  in  the  airplane  are  included.  If  a rating  scheme  has  been  used  to 
establish  relative  inspection  intervals,  is  it  consistent  with  RCM  prin- 
ciples? Do  the  relative  intervals  for  each  zone  correspond  to  the  rating 
scheme?  How  do  these  intervals  correspond  to  those  for  detailed  in- 
spection of  internal  structurally  significant  items?  If  there  are  conflicts, 
can  the  zonal  inspection  intervals  be  adjusted?  Zonal  inspections  are 
general  visual  inspections;  do  the  tasks  clearly  describe  the  elements 
in  the  zone  to  be  inspected? 

The  servicing  and  lubrication  tasks  should  be  audited  for  complete- 
ness, and  any  deviations  from  the  manufacturer's  recommendations 
should  be  substantiated.  The  specifications  for  walkaround  and  other 
damage  inspections  should  be  audited  to  make  sure  that  all  the  impor- 
tant areas  are  clearly  indicated  — especially  those  most  likely  to  incur 
damage  from  ground  operation  and  from  mechanic  traffic  itself. 

THE  COMPLETED  PROGRAM 

After  each  working  group  has  completed  its  analysis  and  the  results 
have  been  audited  separately,  additional  questions  may  arise  when  the 
program  is  examined  as  a whole.  Some  apply  to  the  accura-  • and  com- 
pleteness of  the  worksheets  when  they  are  summarized  for  each  major 


portion  of  the  airplane;  others  apply  to  packaging  questions  that  arise 
when  all  the  tasks  are  giouped  for  implementation. 

Do  the  tasks  for  each  portion  of  the  airplane  cover  all  levels  of  main- 
tenance? Have  all  of  them  been  transcribed  accurately?  Do  they  still 
make  sense  when  they  are  viewed  together?  One  problem  that  may 
come  up  at  this  stage  is  a discrepancy  in  the  level  of  task  detail  and 
amount  of  explanatory  material  for  different  items.  All  the  tasks  should 
be  reviewed  to  see  that  they  meet  the  original  definition  of  the  final 
product.  Are  there  any  gaps  or  overlaps?  If  the  final  product  is  simply  a 
list  of  the  tasks  and  their  intervals,  have  those  intervals  that  are  flexible 
been  indicated,  to  facilitate  packaging  decisions? 

Packaging  presents  special  auditing  problems,  since  the  standards 
to  be  applied  depend  on  the  organization,  its  routing  practices,  the 
fleet  size,  the  number  and  location  of  maintenance  facilities,  and  a 
variety  of  other  factors.  Have  these  been  taken  into  account?  Are 
the  most  frequent  tasks  the  kind  that  can  be  accomplished  at  small 
stations  with  limited  staff  and  facilities?  Auditing  the  packaging  of  the 
tasks  is  primarily  a matter  of  determining  whether  the  tasks  have  been 
scheduled  as  efficiently  as  possible  for  a given  set  of  circumstances. 

The  impact  of  the  maintenance  program  on  the  intended  use  of 
the  equipment  should  not  be  overlooked  in  the  audit.  Will  the  proposed 
maintenance  schedule  permit  each  aircraft  to  carry  out  the  longest  series 
of  scheduled  flights  without  interruption?  If  not,  can  either  the  operating 
schedule  or  the  maintenance  schedule  be  revised?  Does  the  program 
allow  for  all  the  operating  environments  that  will  be  encountered,  in- 
cluding a possible  change  from  one  set  of  operating  conditions  to  another 
for  the  same  aircraft?  Does  it  provide  for  RCM  analysis  of  any  new 
systems  or  tasks  that  may  be  added  as  a result  of  age  exploration? 

A -4  AUDITING  THE  ONGOING  PROGRAM 

Once  the  initial  RCM  program  has  been  completed  and  packaged  for 
implementation,  a gioup  within  the  organization  will  also  be  needed 
to  monitor  failure  data  and  the  results  of  age  exploration  and  revise  the 
prior-to-service  program  accordingly.  The  plans  for  these  activities  and 
overall  management  of  the  ongoing  program  are  also  subject  to  auditing. 

Certain  information  systems  must  be  established  before  the  aircraft 
goes  into  service: 

► A system  for  reporting  failures,  their  frequency,  and  their  conse- 
quences 

► An  age-exploration  system  for  continual  evaluation  of  age-condition 
information,  with  procedures  for  extending  task  intervals  as  rapidly 
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► A system  for  controlling  the  addition  of  new  scheduled  tasks  to 
ensure  that  they  meet  RCM  criteria  before  they  are  accepted 

► A system  for  periodic  reevaluation  of  all  tasks  in  the  program  to 
eliminate  those  which  are  no  longer  needed 

► A system  for  reviewing  the  content  of  thie  work  packages  as  the 
size  of  the  fleet  grows 

► A system  for  evaluating  unanticipated  problems  and  determining 
the  appropriate  action 

Are  the  present  information  systems  adequate  to  meet  all  these  require- 
ments? Are  they  adequate  for  the  size  and  age  of  the  fleet?  How  familiar 
are  the  key  personnel  with  basic  RCM  concepts,  and  how  are  differences 
of  opinion  resolved? 

Auditing  an  ongoing  maintenance  program  may  require  different 
skills  and  experience  from  those  needed  to  audit  program  development. 
The  auditor's  questions  during  program  development  are  chiefly  at  the 
procedural  level.  At  this  stage,  however,  the  auditor  may  often  find 
himself  in  an  adversary  situation,  where  much  of  his  work  is  with 
people  having  differing  viewpoints  about  what  shoqld  or  should  not 
be  done.  Thus  he  will  have  to  be  both  inquited\i\*e  And  objective  to 
discern  the  overall  pattern  of  reliability  inf6i*)rhatibn  from  various 
sources  and  interpret  its  impact  on  the  maintenance  program. 

A • 5 AUDITING  NEW  PROGRAMS 
FOR  IN-SERVICE  FLEETS 

The  auditing  principles  in  Sections  A.2  and  A.3  also  apply  to  new  RCM 
programs  for  in-service  aircraft,  but  there  are  some  additional  factors 
to  bear  in  mind.  Older  aircraft  may  not  be  as  sophisticated  or  complex 
as  those  currently  being  developed,  and  there  are  often  fewer  fan-safe 
or  damage-tolerant  features.  Consequently  both  the  pattern  of  analysis 
and  the  resulting  tasks  may  differ  somewhat  from  those  for  a new  air- 
plane. Another  reason  for  the  difference,  however,  iS  that  much  of  the 
age-exploration  information  is  already  availably,-  thus  the  tasks  that 
would  ordinarily  be  added  later  to  a prior-to-servic^  prbgram  will  appear 
from  the  outset  in  a new  program  for  in-service  equipment. 

It  is  especially  important  for  the  auditor  to  detefoxini  that  the  new 
RCM  program  is  not  being  developed  by  an  analysis  of  the  existing 
tasks,  but  represents  a completely  independent  analysis  of  the  equip- 
ment. The  set  of  tasks  resulting  from  this  analysis  should  then  be 
compared  with  the  existing  program  to  determine  the  differences.  At 
this  time  the  current  tasks  that  were  not  included  in  the  new  program 
368  APPENDICES  should  be  reviewed,  but  only  to  ensure  that  nothing  has  been  missed. 


In  developing  a program  for  a new  type  of  airplane  reliability  data 
on  similar  items,  even  when  it  is  available,  may  or  may  not  apply  to  the 
item  under  study.  In  this  case,  however,  the  necessary  information  is 
available  from  actual  operating  expnence.  Thus  one  of  the  major  dif- 
ferences in  auditing  the  analysis  uself  is  { determine  that  the  data 
were  in  fact  used  and  were  used  correctly.  The  auditor  should  make  sure 
that  rework  tasks,  for  example,  have  not  been  selected  without  an  actu- 
arial analysis  of  the  data  on  this  item.  A sample  of  the  actuarial  analyses 
themselves  should  be  reviewed  to  see  that  they  conform  to  the  general 
methods  outlined  in  Appendix  C. 

The  number  of  tasks  in  the  program  will  ordinarily  be  somewhat 
greater  for  an  in-service  airplane,  and  in  many  cases  there  will  be  quite 
a few  rework  tasks  for  systems  items.  These  should  be  reviewed  thor- 
oughly to  make  sure  they  are  necessary;  however,  an  older  airplane  may 
require  more  rework  tasks  than  a new  one  for  several  reasons.  First, 
the  results  of  age  exploration  will  show  that  a few  rework  tasks  are 
economically  desirable  and  should  be  included  in  the  program.  Second, 
the  older  designs  may  actually  have  more  assemblies  that  show  a wear- 
out  pattern.  There  may  also  be  a larger  number  of  scheduled  tasks  for 
hidden  functions  because  of  older  design  practices,  and  the  numb  ?r  of 
on-condition  tasks  may  be  slightly  higher  because  ways  of  exploiting 
these  relatively  inexpensive  inspections  will  have  been  found  for  a 
number  of  items. 

In  comparing  the  completed  RCM  program  with  the  existing  pro- 
gram the  auditor  will  have  to  take  differences  in  terminology  into 
account.  Many  older  programs  call  some  tasks  on-condition  that  do  not 
meet  the  criteria  for  this  type  of  task.  They  may  be  inspections  of  the 
general  condition  of  the  item,  or  they  may  be  inspections  to  find  func- 
tional failures  rather  than  potential  failures.  Similarly,  the  designation 
condition  monitoring  will  actually  include  failure-finding  tasks  for  some 
items.  In  case  of  doubt  the  auditor  (or  the  analyst)  may  have  to  refer  to 
the  job- instruction  card  for  the  present  task  to  determine  its  act aal 
nature. 

As  with  any  program-development  project,  the  results  should  be 
reviewed  to  ensure  that  they  are  in  accord  with  the  definition  of  the 
final  product.  In  the  case  of  a program  for  in-service  equipment  the 
final  product  may  consist  only  of  the  new  RCM  program,  or  it  may 
include  a full  cost  comparison  of  the  two  programs  and  perhaps  a list 
of  recommendations. 


section  A- s 369 


APPENDIX  B 


the  history  of  rcm  programs 


MAINTENANCE  THEORY  in  the  aircraft  industry  began  with  certain  tradi- 
tional ideas.  One  was  the  assumption  that  there  is  a one-to-one  rela- 
tionship between  scheduled  maintenance  and  operating  reliability; 
hence  the  more  scheduled  maintenance,  the  more  reliable  the  equip- 
ment would  be.  Since  it  was  further  assumed  that  reliability  is  always 
related  to  operating  safety,  these  ideas  led  to  the  belief  that  each  item 
had  a “right"  overhaul  time  which  could  be  discovered  but  must  not 
be  exceeded  in  the  meantime. 

Over  the  years  equipment  designers  have  been  able  to  eliminate 
the  possibility  of  most  critical  failures,  and  although  the  two  issues 
cannot  be  entirely  dissociated,  modem  aircraft  design  practices  have 
greatly  weakened  the  relationship  between  safety  and  reliability.  While 
safety  is  the  first  consideration  that  leads  to  failure-tolerant  or  damage- 
tolerant  design,  redundancy  in  commercial  aircraft  usually  extends  be- 
yond this  point  to  enable  an  airplane  to  continue  scheduled  operations 
despite  one  or  more  functional  failures.  In  fact,  dispatch  reliability  is 
now  a competitive  design  feature.  As  a result  of  these  design  practices, 
equipment  designers  have,  in  effect,  ensured  that  operating  safety  has 
the  least  possible  dependence  on  scheduled  maintenance  — although  this 
dependence  still  exists  for  a small  number  of  failure  modes. 

The  gradual  recognition  that  safety  and  reliability  were  no  longer 
synonymous  in  the  case  of  aircraft  led  to  a genera)  questioning  of  tradi- 
tional maintenance  practices  on  economic  grounds.  These  questions 
were  given  impetus  by  the  fact  that  certain  types  of  failures  were  not 
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tices.  Consequently  a number  of  studies  were  conducted  in  the  late 
1950s  to  identify  the  actual  relationship  between  overhaul  times  and 
reliability.  The  results  necessitated  a rejection  of  the  simple  belief  that 
every  item  had  a right  overhaul  time,  and  the  focus  changed  to  the 
development  of  alternative  approaches,  which  eventually  culminated 
in  the  present  form  of  RCM  analysis  as  a basis  for  determining  mainte- 
nance requirements.  This  appendix  describes  the  more  important  pro- 
grams that  were  implemented  during  this  evolutionary  period,  along 
with  some  of  the  studies  that  led  to  the  abandonment  of  traditional 
hard-tur.e  policies  in  the  commercial-aircraft  industry. 


B • 1 THE  HARD-TIME  PARADOX 

The  Federal  Aviation  Regulations  governing  the  maintenance  and  oper- 
ation of  commercial  aircraft  still  embody  the  traditional  concept  that 
the  length  of  time  between  successive  overhauls  is  an  important  factor 
in  operating  safety.  The  Federal  Aviation  Act  of  1958  empowered  the 
Secretary  of  Transportation  to  prescribe  and  revise  from  time  to  time 
"reasonable  rules  and  regulations  governing,  in  the  interest  of  safety, 

. . . the  periods  for,  and  the  manner  in  which,  . . . inspection,  servicing, 
and  overhauls  shall  be  made."  This  wording  is  still  in  effect.*  More 
specifically,  Federal  Aviation  Regulation  121.25,  revised  in  1973,  requires 

•Title  VI,  Safety  Regulation  of  Civil  Aeronautics,  Aeronautical  Statutes,  sec.  601(a)(3).  SECTION  B*1  371 
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that  all  commercial  air  carriers  formally  institute  "time  limitations,  or 
standards  for  determining  time  limitations,  for  overhauls,  inspections, 
and  checks  of  airframes,  engines,  propellers,  appliances  and  emergency 
equipment." 

Besides  the  regulations  proper,  the  FAA  also  provides  guidelines 
in  the  form  of  advisory  circulars,  intended  to  facilitate  application  of  the 
regulations.  According  to  Advisory  Circular  121-1A,  issued  in  June  1978, 
"for  those  aircraft  not  listed  in  AC  121-1A  or  an  MRB  document,  the 
basic  principle  followed  by  the  Administrator  will  be  that  the  inspec- 
tions, checks,  maintenance,  or  overhaul  be  performed  at  times  well 
within  the  expected  or  proven  service  life  of  each  component  of  the 
aircraft."*  The  interesting  point  about  these  regulations  and  guidelines 
is  that  they  are  still  the  official  form,  even  though  most  airlines  today 
receive  full  approval  of  maintenance  programs  that  have  little  to  do 
with  the  traditional  frame  of  reference  implied  by  the  rules. 

Under  these  circumstances,  however,  it  is  not  surprising  that  the 
initial  scheduled-maintenance  program  for  the  Douglas  DC-8,  author- 
ized in  1959  by  the  FAA  Maintenance  Review  Board,  established  hard- 
time overhauls  for  339  items,  in  addition  to  scheduled  overhauls  for  the 
engine  and  for  the  airplane  as  a whole.  The  objective  of  the  program- 
development  team  was  to  establish  overhaul  times  which  were  "well 
within  the  expected  or  proven  service  life  of  each  component  of  the 
aircraft."  It  is  interesting  to  examine  the  human  capability  of  achieving 
this  objective  as  it  was  interpreted  then. 

Exhibit  B.l  shows  the  actual  failure  rates,  plotted  as  a function  of 
the  initial  overhaul  times,  for  the  55  items  on  the  DC-8  which  experi- 
enced the  highest  numbers  of  premature  removals.  The  data  arc  sepa- 
rated to  differentiate  between  electronic  and  nonelectronic  items,  but 
in  either  case  there  was  evidently  little  success  in  associating  an  initial 
interval  with  the  failure  rate  that  would  be  experienced,  and  hence 
ensuring  that  overhaul  occurred  within  the  service  life  of  the  item.  The 
curve  shows,  for  any  given  failure  rate,  the  age  at  which  only  10  percent 
of  the  units  would  survive  if  the  age-reliability  relationship  were  expo- 
nential. 

Because  of  the  difficulty  in  predicting  the  expected  right  overhaul 
time  for  each  item,  overhaul  intervals  on  a new  type  of  airplane  were  set 
at  relatively  low  ages  and  were  increased  only  with  great  caution.  The 
FAA  required  at  least  three  months  between  successive  increases,  but 
most  airlines  in  fact  permitted  much  longer  periods  of  time  to  elapse. 
And  when  intervals  were  extended,  the  amount  of  increase  was  very 
small.  The  FAA  also  1;  ted  any  increase  in  powerplant  overhaul  times, 
for  exampU , to  no  more  than  100  hours  over  the  previous  limit.  The 

"Standard  Operations  Specifications:  Aircraft  Maintenance  Handbook,  FAA  Advisory  Cir- 
cular 121-1A,  June  1978. 
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EXHIBIT  B‘l  Premjlure-ri  moval  rates  of  systems  items  on  the 
Douglas  DC-8,  plotted  against  the  overhaul  limit  assigned  to  each 
item  in  the  initial  maintenance  program.  The  data  points  in  color  are 
for  electronic  items  and  those  irt  black  are  for  nonelectronic  items. 

The  curve  represents  the  failure  rate  at  which  10  percent  of  the  units 
(both  electronic  and  nonelectronic)  would  survive  to  a given  age  limit. 
(United  Airlines) 

basis  for  extending  the  overhaul  limits  was  a complete  teardown  inspec- 
tion of  a number  of  serviceable  items  that  had  reached  the  current  age 
limit  and  an  evaluation  of  the  condition  of  each  part  to  judge  whether 
it  could  have  continued  to  operate  to  the  proposed  new  age  limit. 

While  this  procedure  might  at  first  seem  similar  to  an  on-condition 
process,  note  that  in  most  cases  there  was  no  means  of  meeting  the 
criteria  of  applicability  for  an  on-condition  inspection: 

^ It  must  be  possible  to  detect  reduced  failure  resistance  for  a specific 
failure  mode. 

^ It  must  be  possible  to  define  a potential-failure  condition  that  can 
be  detected  by  an  explicit  task. 

^ There  must  be  a reasonably  consistent  age  interval  between  the  time 
of  potential  failure  and  the  time  of  functional  failure. 

Since  the  teardown-inspection  findings  provided  no  objective  basis  for 
extending  overhaul  intervals,  the  continued  viability  of  the  item  was 

tested  by  monitoring  the  failure  rates  and  failure  modes  at  the  new  limit  SECTION  B-l  373 


EXHIBIT  B-2  Age-reliability  analyses  of  two  types  of  reciprocating 
aircraft  engines  which  illustrate  the  difficulty  in  interpreting 
teardowr-inspection  findings,  Inspection  reports  were  favorable  for 
the  Wright  R-3350  and  unfavorable  for  the  Pratt  & Whitney  R-2800. 
The  red  portion  of  the  curves  represents  analyses  performed  in  the 
spring  of  p>5«>,  and  the  black  portion  represents  subsequent  analyses 
performed  in  1863.  (United  Airlines) 


to  ensure  that  the  extension  had  not  adversely  affected  reliability  — and 
then  the  cycle  was  repeated.  The  assumption  was  that  this  process  of 
incremental  time  extensions  would  ultimately  identify  the  correct  over- 
haul age. 

This  procedure  also  led  to  some  perplexing  situations.  In  the  spring 
of  1959  extension  of  the  overhaul  limit  for  two  different  types  of  recipro- 
cating aircraft  engines  was  under  consideration.  One  engine,  the  Wright 
R-3350  TC  18,  had  a high  enough  failure  rate  that  very  few  engines  sur- 
vived to  the  current  overhaul  limit  of  1,300  hours;  consequently  it  was 
difficult  to  obtain  time-expired  sample  engines  for  the  teardown  inspec- 
tions. Nevertheless,  the  opinion  of  the  inspection  team  was  that  the 
parts  of  those  engines  that  had  survived  to  the  limit  were  in  very  good 
condition,  and  that  these  particular  engines  could  have  continued  in 
operation  to  much  higher  ages  without  experiencing  failures.  On  this 
basis  the  team  recommended  that  the  overhaul  limit  be  extended.  It  was 
apparent,  however,  that  the  time  extension  would  be  of  little  economic 
benefit,  since  even  fewer  engines  would  survive  to  the  new  limit. 

The  other  engine,  the  Pratt  & Whitney  R-2800  CA  15,  had  a low  fail- 
ure rate.  Hence  a large  number  of  engines  had  survived  to  the  current 
overhaul  time  of  1,  30  hours,  and  it  was  relatively  easy  to  obtain  time- 
expired  sample  engines  for  the  teardown  inspections.  In  this  case,  how- 
374  APPENDICES  ever,  the  same  inspection  team  judged  many  of  the  parts  to  be  in  poor 


enough  condition  that  the  sample  engines  could  not  have  operated  to 
the  proposed  new  overhaul  limit  without  experiencing  failures.  The 
inspection  team  therefore  recommended  against  extending  the  limit 
for  this  engine.  The  time  extension  would  have  high  economic  value, 
however,  if  the  opinion  concerning  increased  likelihood  of  failure 
proved  incorrect,  since  so  many  engines  were  surviving  to  the  current 
limit. 

Actuarial  analyses  were  performed  to  determine  the  age-reliahihty 
characteristics  of  both  types  of  engines;  the  results  of  these  analyses  are 
shown  by  the  red  portion  of  the  curves  in  Exhibit  B.2.  Note  that  the 
opinions  expressed  by  the  inspection  team  are  equivalent  to  a conten- 
tion (1)  that  the  conditional  probability  of  failure  for  the  first  engine  will 
show  a marked  decrease  at  ages  greater  than  the  current  limit,  and  (2) 
that  the  conditional  probability  of  failure  for  the  second  engine  will  show 
an  abrupt  increase  at  ages  greater  than  the  current  limit.  The  reliability 
analyst.,  argued  that  abrupt  changes  in  age-reliability  characteristics 
were  unlikely  to  occur,  and  the  overhaul  times  of  both  engines  were 
extended. 

The  black  portion  of  the  curves  in  Exhibit  B.2  shows  the  results 
of  analyses  made  in  March  1963,  after  the  overhaul  times  of  both  engines 
had  been  extended  well  beyond  those  that  existed  when  the  conflict 
between  the  inspection  findings  and  the  actuarial  findings  first  became 
apparent.  The  overhaul  time  of  the  Pratt  & Whitney  R-2800  was  ulti- 
mately extended  to  3.300  hours,  with  substantial  economic  benefits, 
despite  adverse  inspection  reports  at  each  step.  Since  the  inspection 
team  consisted  of  skilled  people  familiar  both  with  the  items  in  ques- 
tion and  with  airline  maintenance  processes,  this  contradiction  of  their 
findings  by  actuarial  analysis  has  continued  to  be  a paradox. 

The  FAA's  last  determined  effor!  to  control  operating  reliability  by 
adjustment  of  hard-time  overhaul  limits  was  in  August  1960,  when  it 
issued  the  Turbine  Engine  Time  Conlrol  Program.  In  this  case  the  basis 
for  adjustment  of  overhaul  limits  was  the  in-flight  engine-shutdown 
rate  experienced  by  the  operating  airline,  rather  than  the  recommenda- 
tion of  an  inspection  team.  The  adjustment  of  overhaul  intervals  was 
related  to  the  shutdown  rate  for  the  preceding  three-month  period  as 
follows: 


shutdown  rate 
(per  1,000  engine  hours) 
Greater  than  0.20 
0.15-0.20 
0.10-0.15 
Less  than  0.10 


overhaul-time  adjustment 
100- hour  reduction 
No  adjustment 
100-hour  extension 
200-hour  extension 


This  program  elicited  strong  negative  reaction  from  the  airlines,  since 
the  basis  for  adjustment  was  highly  sensitive  to  variations  in  the  shut- 
down rate  caused  by  sampling  effects  and  did  ..  /t  provide  for  engine 
'■hutdowns  due  to  the  failures  of  accessories  which  were  not  part  of  the 
1 isic  engine.  The  program  was  hort-lived. 


B • 2 CHANGING  PERCEPTIONS  OF 
THE  HARD-TIME  POLICY 

By  the  late  1950s  sufficient  operating  data  had  accumulated  for  intensive 
studies  of  the  effectiveness  of  prevailing  scheduled-maintenance  meth- 
ods. These  studies  brought  several  important  facts  to  light: 

► It  was  beyond  human  capability  to  set  an  initial  overhaul  time  that 
would  be  well  within  the  proven  service  life  of  an  item. 

► When  the  likelihood  of  failure  did  increase  with  age,  the  reports 
from  teardown  inspections  often  conflicted  with  the  results  of  actu- 
arial analysis.  The  teardown  inspections  were  apparently  unable  to 
identify  failure  resistance  in  a discriminating  manner. 

► There  were  many  items  for  which  the  likelihood  of  failure  did  not 
increase  with  operating  age,  and  hard-time  limits  had  no  effect  on 
reliability  in  these  cases. 

A better  method  of  determining  scheduled-maintenance  requirements 
was  clearly  needed. 

During  the  same  period  the  FAA  and  the  airlines  were  expressing 
continuing  concern  about  the  high  failure  rate  of  the  Wright  R-3350 
engine  and  the  fact  that  various  changes  in  maintenance  policy  had 
resulted  in  no  significant  improvement  in  its  reliability.  This  situation, 
and  the  general  need  for  an  improved  overhaul-time  policy  for  aircraft 
turbine  engines,  led  to  the  formation  in  I960  of  a task  for,  a,  with  repre- 
sentatives from  both  the  FAA  and  the  Air  Transport  Association.  This 
team  was  charged  with  the  responsibility  of  obtaining  a better  under- 
standing of  the  relationship  between  overhaul  policy  and  operating 
reliability. 

The  result  of  this  study  was  the  FAA/lndustry  Reliability  Program, 
issued  in  November  1961.  The  introduction  to  this  publication  stated  the 
objective  of  the  program  as  follows:* 

The  development  of  this  program  is  toward  the  control  of  reliability 
through  an  analysis  of  the  factors  that  affect  reliability  and  pro- 
vide a system  of  actions  to  improve  low  reliability  levels  when  they 

'l' A A!  Industry  Reliability  Program.  Federal  Aviation  Agency,  November  7,  1961,  p.  1. 
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EXHIBIT  B'3  The  effect  of  changing  overhaul  policies  on  the  rate  of 
interval  extension  for  the  Piatt  & Whitney  JT4  engine.  The  Propulsion 
System  Reliability  Program,  authorized  in  November  1%1,  represented 
the  first  significant  change  in  the  emphasis  on  overhaul  intervals, 
although  it  still  presupposed  a relationship  between  scheduled 
overhaul  and  reliability.  (United  Airlines) 


exist.  In  the  past,  a great  deal  of  emphasis  has  been  placed  on 
the  control  of  overhaul  periods  to  provide  a satisfactory  level  of 
reliability.  After  careful  study,  the  Committee  is  convinced  that 
reliability  and  overhaul  time  control  are  not  necessarily  directly 
associated  topics;  therefore,  these  subjects  are  dealt  with  separately. 

Because  the  propulsion  system  has  been  the  area  of  greatest  con- 
cern in  the  recent  past,  and  due  to  powerplant  data  being  more 
readily  available  for  study,  programs  are  being  developed  for  the 
propulsion  system  first,  as  only  one  system  at  a time  can  be  success- 
fully worked  out. 

The  publication  authorized  a trial  period  fora  new  Propulsion  Sys- 
tem Reliability  Program  which  established  a shutdown-alert  rate  for 
each  type  of  engine.  If  an  airline  experienced  a shutdown  rate  that 
exceeded  the  alert  value,  an  investigation  was  required  to  determine  the 
reasons,  and  action  appropriate  to  the  results  of  the  investigation  was 
to  be  taken.  There  was  no  requirement,  however,  that  overhaul  times 
be  either  reduced  or  not  extended  further,  unless  the  investigation  indi- 
cated this  action  as  a remedy.  Teardown  inspections  were  also  restored 
as  the  basis  for  extending  overhaul  times.  The  number  of  lime-extension 

samples  was  a function  of  fleet  size  and  ranged  from  a sample  of  1 for  SECTION  B-2  3 77 
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a fleet  of  four  or  fewer  operating  units  to  a sample  of  6 for  101  or  more 
operating  units.  The  requirement  of  a minimum  calendar  peri'-  4 be- 
tween successive  extensions  was  eliminated.  This  last  change  greatly 
increased  the  rate  of  overhaul-time  extension  (see  Exhibit  B.3)  and  low- 
ered maintenance  costs  by  reducing  the  number  of  engines  in  the  over- 
haul process. 

It  had  already  been  recognized  that  each  type  of  engine  had  a group 
of  short-lived  parts  that  could  not  survive  through  the  entire  scheduled- 
overhaul  interval.  The  trial  program  therefore  provided  for  monitoring 
of  some  of  these  parts  by  on-condition  inspections,  with  replacement 
of  deteriorated  parts  as  necessary.  The  other  short-lived  parts  were  to 
be  replaced  at  a scheduled  "engine  heavy  maintenance"  (hot-section) 
visit.  The  limit  on  the  heavy-maintenance  interval  was  imposed  by  the 
shortest-lived  part  that  depended  on  this  shop  visit  for  maintenance 
action.  The  limit  was  increased  as  improved  parts  were  developed. 
Again,  each  increase  was  based  on  the  condition  of  a sample  of  time- 
expired  engines.  The  requirement  for  scheduled  engine  heavy  mainte- 
nance was  abandoned  altogether  in  1972  in  favor  of  scheduled  rework 
or  discard  tasks  where  applicable  and  effective  for  specified  individual 
engine  parts. 

The  trial  Propulsion  System  Reliability  Program,  which  later  be- 
came a permanent  program,  represented  a significant  weakening  of  the 
traditions!  emphasis  on  hard-time  overhauls  ns  a major  factor  in  engine 
reliability.  This  program  was  legally  enabled  by  the  clause  in  the  regu- 
lations covering  "time  limitations  or  standards  for  determining  time 
limitations"  — the  same  clause  that  had  been  used  earlier  to  promulgate 
the  short-lived  Turbine  Engine  Time  Control  Program.  At  the  time 
the  Propulsion  System  Reliability  Program  was  instituted  it  was  still 
assumed  that  a "right"  overhaul  time  would  ultimately  be  identified 
for  each  type  of  engine. 

After  work  on  the  powerplant  program  was  finished  there  was  no 
agreement  among  the  industry  members  of  the  task  force  concerning 
the  type  of  item  that  should  be  investigated  next.  Consequently  the  FAA 
permitted  each  of  the  airlines  represented  on  the  task  force  to  develop 
and  implement  test  programs  for  those  items  in  which  it  was  most  inter- 
ested. United  Airlines  chose  to  develop  a Component  Reliability  Pro- 
gram for  complex  mechanical  items  which  had  previously  been  assumed 
to  be  among  the  best  candidates  for  hard-time  overhaul.  This  program 
was  initiated  in  February  1963  and  was  at  first  applied  to  six  items:  the 
cabin  compressor,  the  constant-speed  drive,  and  freon  compressor  on 
the  Douglas  DC-8  and  similar  items  on  the  Boeing  720. 

The  components  program  also  presupposed  that  each  item  had  an 
optimum  overhaul  time,  and  the  objective  was  simply  to  identify  this 
limit  in  the  shortest  possible  calendar  time  with  a minimum  cost  for 
378  APPENDICES  interim  scheduled  overhauls.  The  test  program  was  designed  to  demon- 


strate  that  reliability  could  be  controlled  in  the  absence  of  fixed  over- 
haul times  while  the  final  right  time  was  being  sought.  On  this  basis 
particular  attention  was  paid  to  the  following  factors: 

► The  age-reliability  characteristics  of  the  items  as  determined  by 
actuarial  analysis 

New  and  undesirable  failure  modes  that  might  appear  at  higher 
ages 

► 1 ae  total  support  cost  for  the  item 

► The  results  of  a limited  teardown  inspection  of  n small  number  of 
high-time  units 

There  were  no  overhaul  limits  as  such,  and  other  units  were  permitted  to 
continue  aging  in  service  while  the  sample  units  were  being  inspected. 
As  a result,  inspection  data  accumulated  rapidly  and  continually  for  suc- 
cessive age  intervals.  Moreover,  despite  the  continuous  increases  in  the 
age  of  sample  overhauls,  as  illustrated  in  Exhibit  B.4,  there  was  no  reduc- 
tion in  the  reliability  of  the  components  under  this  program. 

The  experience  with  the  trial  programs  conducted  by  the  various 
airlines  prompted  the  FAA  to  issue  Advisory  Circular  120-17,  a Handbook 
for  Maintenance  Control  by  Reliability  Methods,  in  December  1964.  The 
purpose  of  this  document  was  stated  as  follows:* 

This  handbook  provides  information  and  guidance  material  which 
may  be  used  to  design  or  develop  maintenance  reliability  programs 
which  include  a standard  for  determining  time  limitations.  ...  It 
is,  in  addition,  a method  to  realistically  and  responsively  relate 
operating  experience  to  the  controls  establisned. 

With  reference  to  the  test  programs,  the  circular  went  on  to  say: 

The  purpose  of  these  studies  is  to  acquire,  through  practical  appli- 
cation, information  that  could  be  used  to  amend  and  refine  our 
present  system  of  monitoring  operator's  maintenance  quality  and 
yet  permit  the  operator  maximum  flexibility  in  establishing  its 
own  maintenance  controls  within  the  bounds  of  generally  accepted 
maintenance  philosophies. 

United  Airlines  moved  quickly  to  qualify  reliability  programs  for 
various  types  of  items,  because  the  reduced  scheduled-maintenance 
workload  under  the  test  programs  had  not  resulted  in  any  reduction  in 
reliability.  The  residual  maintenance  workload  was  still  large  enough, 
however,  to  warrant  further  attention.  In  January  1965  United  qualified 

’Handbook  for  Maintenance  Control  by  Reliability  Methods,  FAA  Advisory  Circular  120-17, 
December  31,  1%4. 


its  Turbine  Engine  Reliability  Program  under  the  terms  of  Advisory  Cir- 
cular 120-17.  This  program  was  similar  to  the  Component  Reliability 
Program,  but  there  was  a less  demanding  sample-overhaul  requirement 
of  one  engine  per  10,000  hours  of  operating  experience.  This  requirement 
was  changed  from  time  to  time  in  the  next  few  years  until,  in  1968,  the 
requirement  for  sample  overhauls  was  eliminated  entirely.  The  history 
of  the  increase  in  the  sample-overhaul  time  limit  shown  in  Exhibit  B.5 
is  typical  of  the  pattern  for  turbine  engines  during  that  period. 

In  addition  to  the  requirement  for  sample  overhauls  as  a basis  for 
extending  the  engine  overhaul  limit,  the  turbine-engine  program  in- 
cluded a scheduled  shop  visit  foi  engine  heavy  maintenance,  with  time 
extensions  for  this  interval  accomplished  by  a process  similar  to  that 
specified  in  the  Propulsion  System  Reliability  Program.  There  were  also 
scheduled  tasks  to  replace  specific  time-limited  parts  whose  failure  could 
have  a direct  adverse  effect  on  operating  safety.  The  need  for  these 
scheduled  discard  tasks  has  continued  regardless  of  other  changes  in 
maintenance  theory. 

The  Turbine  Engine  Reliability  Program,  with  revisions,  continued 
in  successful  operation  until  1972,  when  it  was  replaced  with  United 

EXHIBIT  B- 5 The  history  of  sample-overhaul  requirements  for  the 
I’ratt  & V\  hitney  JT4  engine  under  successive  test  programs.  The 
Turbine  Engine  Reliability  Program,  authorized  in  January  1965, 
continued  sticcesstully  without  th  ample-overhaul  requirement  until 
it  was  replaced  in  1972  by  current  re'iability-centered  programs. 
(United  Airlines) 


Airlines'  current  program,  called  Logical  Information  Based  on  Relia- 
bility Analysis  (LIBRA),  which  embodies  decision  logic.  A permanent 
and  expanded  Component  Reliability  Program  also  continued  in  opera- 
tion, with  only  minor  changes,  until  the  current  program  was  established 
in  1972.  By  1969  there  were  20  items  under  this  components  program.  Not 
all  of  them  are  still  in  service,  but  the  ages  of  most  of  the  items  that  are 
in  service  are  still  being  permitted  to  increase.  The  rate  of  n-  'icase  is  now 
quite  small,  since  few  units  survive  to  the  maximum  ages  that  have 
been  experienced  without  the  need  for  repair  work  which  is  sufficiently 
extensive  to  zero-time  the  unit.  The  operating  experience  illustrated  in 
Exhibit  B.4  is  typical  of  the  pattern  for  such  items. 

In  June  1965  United  Airlines  obtained  approval  to  implement  a per- 
manent Reliability  Controlled  Overhaul  Program  (RCOH).  This  program 
in  fact  dated  back  to  April  1958,  but  its  use  had  been  restricted  to  a small 
number  of  items.  Items  covered  by  this  program  were  not  subject  to  any 
overhaul  time  limits  at  all;  consequently  there  were  no  sample-overhaui 
requirements.  An  item  qualified  for  the  program  if  actuarial  analysis 
demonstrated  that  the  conditional  probability  of  failure  did  not  increase 
with  increased  time  since  the  last  shop  visit.  In  other  words,  the  item 
had  to  show  an  age-reliability  relationship  represented  by  curve  D,  E, 
or  F in  Exhibit  2.13,  indicating  that  it  could  not  benefit  from  scheduled 
overhaul.  The  program  did  require  that  an  alert  failure  rate,  based  on 
past  operating  history,  be  established  for  each  item  and  that  a fact- 
finding investigation  be  conducted  whenever  the  failure  rate  exceeded 
the  specified  value.  It  was  found,  however,  that  most  excursions  above 
the  alert  rate  were  associated  with  sampling  effects,  and  not  with 
changes  in  age-reliability  characteristics.  By  1969  this  program  covered 
277  'terns  from  various  types  of  airplanes.  These  items  included  many 
mechanical  and  electromechanical  assemblies,  although  most  were  elec- 
tronic components.  This  program  also  continued  in  successful  operation 
until  it  was  replaced  in  1972  by  the  current  program. 

During  the  course  of  both  the  Turbine  Engine  Reliability  Program 
and  the  Component  Reliability  Program  there  was  a rapid  escalation  of 
overhaul  age  Emits  and  a continuing  reduction  in  the  number  of  sample 
overhauls  required  at  each  limit.  Wherever  there  might  have  been  a 
slight  increase  in  the  failure  rate  as  units  reached  higher  ages,  its  effects 
were  more  than  offset  by  the  results  of  product-improvement  activity. 
In  the  process  numerous  age-reliability  relationships  were  defined.  They 
showed  no  pronounced  wearout  characteristics  for  the  components,  and 
much  of  the  wearout  evident  in  the  premature-removal  rates  for  engines 
was  the  result  of  on-condition  inspections,  not  of  functional  failures. 
Finally  in  1972  the  practice  of  a scheduled  complete  disassembly  for 
inspection,  followed  by  an  overhaul,  was  discontinued  entirely  in  both 
programs.  The  Reliability  Controlled  Overhaul  Program  had  never  re- 
quired sample  overhauls  and  relied  instead  on  the  results  of  actuarial 


analysis.  Note  that  all  these  programs  were  based  on  information  that 
had  to  be  derived  from  operating  e>  >erience. 

B • 3 THE  INTRODUCTION  OF 

ON-CONDITION  MAINTENANCE 

The  testing  of  new  concepts  in  the  early  1960s  was  not  limited  to  a search  j 

for  the  best  way  to  identify  optimum  overhaul  limits.  In  1962  the  over-  - j 

haul  concept  itself  was  challenged.  Traditional  overhauls  entailed  com-  \ 

plete  disassembly  and  remanufacture,  and  a shop  visit  which  entailed 

less  work  than  this  was  classified  as  a repair  and  was  not  considered  to  j 

zero-time  the  operating  age  of  the  unit.  Serviceable  units  returned  to  the  J 

supply  organization  after  such  a repair  were  classified  as  "part-time  j 

spares"  to  indicate  that  after  they  were  installed,  they  could  not  remain  j 

on  the  airplane  for  a full  overhaul  interval.  j 

To  reduce  the  need  for  these  early  scheduled  removals,  a new  con- 
cept of  "conditional  overhaul"  was  tested  on  several  items.  A condi- 
tional overhaul  consisted  of: 

► Correction  of  the  immediate  cause  of  failure 

► Such  additional  work,  if  any,  as  required  to  enable  the  unit  to  meet 
the  functional  performance  specifications  for  the  item 

► Certain  specified  inspection  and/or  rework  of  known  points  of  wear 
or  deterioration 

The  operating  performance  of  the  units  that  received  conditional  over-  , 

hauls  was  carefully  monitored,  and  actuarial  analyses  of  these  units  were 
compared  with  analyses  of  units  that  received  the  traditional  complete 

overhauls  to  determine  whether  there  were  any  undesirable  differences  ' 

in  age-reliability  characteristics.  The  only  notable  difference  was  that 
the  units  that  had  received  conditional  overhauls  showed  less  infant 
mortality.  Application  of  the  conditional-overhaul  concept  grew,  and  by 
1965  most  of  the  items  that  were  subject  to  overhaul  limits  were  receiv- 
ing conditional  overhauls,  and  a conditional  overhaul  was  considered 
to  zero-time  the  unit.  This  approach  resulted  in  a marked  reduction  in 
shop  maintenance  costs  with  no  adverse  effect  on  reliability. 

Another  new  concept  introduced  during  this  period  was  United 
Airlines'  Test  and  Replace  as  Necessary  Program  (TARAN),  which  was 
approved  in  January  1964  for  the  Boeing  720  hydraulic  system.  Up  to 
this  point  many  items  in  the  hydraulic  system  had  individual  overhaul 
limits,  frequently  timed  to  coincide  with  the  overhaul  age  for  the  air- 
plane itself.  This  program  depended  instead  on  on-condition  tasks.  It 
consisted  of  a schedule  of  tests  to  be  performed  prior  to  this  major  air- 
plane overhaul  to  determine  whether  there  were  internal  leaks,  an 

indication  of  reduced  failure  resistance,  in  the  hydraulic  subsystems  SECTION  B-3  383 
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and  assemblies.  Only  those  units  that  failed  the  tests  were  removed  and 
routed  to  the  shop  for  overhaul  (repair).  By  1969  United  Airlines  had 
qualified  209  items  on  various  types  of  airplanes  under  this  on-condition 
program. 

Several  facts  had  become  apparent  as  a result  of  all  these  new 
programs: 

► The  reliability  programs  that  had  been  developed  and  implemented 
to  “realistically  and  responsively  relate  operating  experience  to  the 
maintenance  controls  established"  had  demonstrated  that  hard- 
time overhaul  actions  were  of  no  benefit  whatsoever  in  controlling 
the  reliability  of  most  items— that  is,  ”>ost  items  had  no  “right" 
overhaul  timer 

► Actuarial  analysis  provided  a means  of  determining  the  age- 
reliability  characteristics  of  flight  equipment  and  controlling  oper- 
ating reliability  in  the  absence  of  fixed  overhaul  limits. 

► Conditional  overhauls  were  at  least  as  effective  for  most  items  as 
the  overhauls  carried  out  under  traditional  concepts. 

► Reliability  programs  achieved  a major  portion  of  the  economic 
gains  that  could  be  realized  by  elimination  of  those  scheduled- 
maintenance  tasks  that  were  ineffective. 

► Administration  of  a large  number  of  individual  reliability  pro- 
grams was  a burdensome  procedure. 

It  was  clearly  time  for  something  more  than  a piecemeal  approach. 
It  was  now  necessary  to  consolidate  the  existing  knowledge  and  develop 
a technique  by  which: 

► An  effective  scheduled-maintenance  program  could  be  designed 
before  a new  type  of  airplane  entered  service 

► This  program  could  be  modified  after  the  airplane  was  in  service 
and  reliability  information  from  actual  operating  data  was  available 

The  first  attempt  at  a decision-diagram  approach  to  the  development  of 
scheduled-maintenance  programs  was  made  in  1965,  and  by  1967  a 
workable  technique  had  been  developed  and  described  in  professional 
papers,* 

*H.  N.  Taylor  and  F.  S.  Nowlan,  Turbine  Engine  Reliability  Program,  FAA  Maintenance 
Symposium  on  Continued  Reliability  of  Transport- type  Aircraft  Propulsion  Systems, 
Washington,  D C.,  November  17-18,  1965.  T.  D.  Matteson  and  F.  S.  Nowlan,  Current 
Trends  in  Airline  Maintenance  Programs,  A1AA  Commercial  Aircraft  Design  and  Opera- 
tions Meeting,  Los  Angeles,  June  12-14,  1967.  F.  S.  Nowlan,  The  Use  of  Decision  Diagrams 
for  Logical  Analysis  of  Maintenance  Programs,  United  Airlines  internal  document,  August 
2,  1967. 
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Also  in  1967,  the  initial  program  for  the  new  Boeing  737  incorporated 
a procedure  called  System  and  Component  Operating  Performance 
Evaluation  (SCOPE),*  This  procedure  was  applicable  to  classes  of  items 
which  had  been  found  historically  to  have  no  marked  age-reliability 
relationships.  The  program  provided  for  a two-year  period  free  of  any 
overhaul  limits.  During  this  period  the  performance  of  each  item  was  to 
be  monitored,  and  from  then  on  its  performance  wrs  to  be  compared 
with  standards  based  on  the  item's  operation  during  those  two  years. 
An  item  that  did  not  meet  the  standard  of  its  previous  performance  — 
one  whose  failure  rate  might  be  increasing  with  age  — was  then  to  be 
investigated,  and  action  was  to  be  taken,  if  feasible,  to  improve  its  relia- 
bility. The  investigation  might  include  actuarial  analyses  for  specific 
items  that  failed  to  meet  the  performance  standards  if  an  operating  air- 
line chose  to  conduct  such  studies.  However,  no  actuarial  studies  were 
required  to  qualify  an  item  for  exclusion  from  overhaul  limits  in  an 
initial  program. 

This  program  represented  the  first  recognition  in  an  initial  program 
that  certain  items  do  not  benefit:  from  scheduled  maintenance  (later  such 
items  would  be  said  to  be  supported  by  condition  monitoring).  The 
program  covered  49  items  that  would  have  been  assigned  hard-time 
overhaul  limits  under  previous  maintenance  approaches. 


B • 4 THE  AIR  TRANSPORT  ASSOCIATION 
MSG- 1 AND  MSG-2  PROGRAMS 

By  1968,  when  the  initial  scheduled-maintenance  program  for  the  new 
Boeing  747  was  developed,  there  had  been  further  developments.  There 
was  general  recognition  of  three  primary  maintenance  processes  — hard- 
time overhaul,  an  on-condition  pn.  ess,  and  a condition-monitoring 
process.  The  conditions  that  must  be  met  for  each  of  these  processes 
to  be  applicable  had  been  clearly  defined,  and  there  was  a workable 
decision  diagram  that  could  be  used  to  develop  a scheduled-maintenance 
program  that  encompassed  these  three  primary  processes. 

The  FAA  had  indicated  an  interest  in  working  with  the  airline  cus- 
tomers of  the  Boeing  747  to  apply  a newer  and  more  modern  technique  to 
the  development  of  the  initial  maintenance  program  for  this  airplane. 

Accordingly,  a group  of  the  airline  representatives  on  the  747  Mainte- 
nance Steering  Group  drafted  MSG-1,  Handbook:  Maintenance  Evaluation 
and  Program  Development.  This  document,  issued  in  July  1968,  was  used 
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by  special  teams  of  industry  and  FAA  personnel  to  develop  the  new 
Boeing  747  program.  A9  described  by  the  FAA  in  a later  publication, 
these  teams* 

. . . sorted  out  the  potential  maintenance  tasks  and  then  evaluated 
them  to  determine  which  must  be  done  for  operating  safety  or 
essential  hidden  function  protection.  The  remaining  potential  tasks 
were  evaluated  to  determine  whether  they  are  economically  useful. 
These  procedures  provide  a systematic  review  of  the  aircraft  design 
so  that,  in  the  absence  of  real  experience,  the  best  [maintenance] 
process  can  be  utilized  for  each  component  or  system. 

The  Boeing  747  maintenance  program  was  the  first  attempt  to  apply  RCM 
concepts. 

Actual  work  with  MSG-1  identified  many  areas  in  which  the  docu- 
ment could  be  improved,  and  in  March  1970  the  Air  Transport  Associa- 
tion issued  MSG-2:  Airline/Manufacturer  Maintenance  Program  Planning 
Document.  This  document,  which  included  further  refinement  of  the 
decision-diagram  approach,  was  used  to  develop  the  initial  mainte- 
nance programs  for  the  Lockheed  1011  and  the  Douglas  DC-10.  A similar 
document,  entitled  European  Maintenance  System  Guide,  was  prepared 
in  Europe  and  served  as  the  basis  for  development  of  the  initial  pro- 
grams for  the  Airbus  Industrie  A-300  and  the  Concorde.  The  impact  of 
MSG-1  amt  MSG-2  on  the  resulting  programs  is  apparent  from  the  num- 
ber of  items  assigned  scheduled  removal  tasks  — eight  on  the  Boeing 
747  and  seven  on  the  Douglas  DC-10,  in  contrast  to  339  in  the  earlier 
program  for  the  Douglas  DC-8. 

In  1972  MSG-2  was  used  to  develop  reliability  programs  for  all  the 
older  fleets  of  airplanes  operated  by  United  Airlines.  These  individual 
programs  were  implemented  by  the  single  program  LIBRA,  which 
replaced  all  the  earlier  reliability  programs  that  had  been  developed  on 
a piecemeal  basis  for  these  aircraft.  However,  MSG-2  focused  primarily 
on  the  tasks  that  should  be  included  in  an  initial  program  and  provided 
little  guidance  on  other  aspects  of  the  decision-making  process,  such 
as  the  identification  of  significant  items  and  the  use  of  operating  data 
in  modifying  the  initial  program.  The  next  step,  therefore,  was  further 
refinement  of  the  decision-diagram  technique  to  clarify  the  role  of 
failure  consequences  in  establishing  maintenance  requirements,  the 
role  of  hidden-function  failures  in  a sequence  of  multiple  failures,  and 
the  concept  of  default  answers  to  be  used  as  the  basis  for  decisions  in 
the  absence  of  the  necessary  information.  The  result  was  the  technique 
of  RCM  analysis  described  in  this  volume, 
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»)  • 5 THE  RELATIONSHIP  OF  SCHEDULED 
MAINTENANCE  TO  OPERATING  SAFETY 

The  traditional  view  of  scheduled  maintenance  was  that  it  must,  of 
necessity,  increase  operating  safety,  and  therefore  the  more  intensive 
the  maintenance,  the  safer  an  aircraft  would  be.  It  is  quite  possible,  of 
course,  for  the  loss  of  an  essential  function  or  the  secondary  damage 
caused  by  certain  failure  modes  to  have  a direct  effect  on  safety.  Whether 
this  is  the  situation  in  specific  cases,  however,  depends  on  the  design 
characteristics  of  both  the  item  and  the  equipment  in  which  it  is 
installed. 

Since  complex  high-performance  equipment  is  by  nature  subject  to 
failures,  a major  safety  consideration  is  to  ensure  that  it  will  be  failure- 
tolerant  (damage-tolerant).  While  the  basic  forms  of  preventive  main- 
tenance can  very  often  prevent  failures  caused  by  specific  failure  modes, 
they  are  not  as  successful  in  reducing  the  overall  failure  rate  of  complex 
items  subject  to  many  different  types  of  failure.  Fortunately  most  critical 
failures  can  be  prevented  at  the  design  stage  by  the  use  of  redundancy 
to  protect  against  the  complete  loss  of  an  essential  function.  Where  a 
specific  failure  mode  can  cause  critical  secondary  damage,  and  this 
possibility  cannot  be  eliminated  by  modifying  the  design,  there  are  two 
preventive  tasks  that  can  be  used  to  ensure  safety:  on-condition  inspec- 
tions, where  they  are  app'icable  and  effective,  and  discard  of  the  part  in 
question  at  a predetermined  safe-life  limit.  In  both  cases  these  tasks  are 
directed  at  the  individual  part  in  which  the  critical  failure  mode  origi- 
nates. Thus  scheduled  maintenance  can  ensure  realization  of  the  inherent 
safety  levels  of  the  equipment,  but  it  cannot  compensate  for  deficiencies 
in  those  levels. 

The  process  of  RCM  analysis  consists  of  a detailed  study  of  the 
design  characteristics  of  the  equipment  to  determine  the  items  whose 
loss  of  function  would  have  significant  consequences  at  the  equipment 
level,  as  well  as  the  specific  failure  modes  most  likely  to  lead  to  that  loss 
of  function.  This  study  identifies  the  failures  and  failure  modes  that  are 
critical  — those  which  could  have  a direct  effect  on  operating  safety.  It 
also  identifies  those  failures  which  will  be  hidden  and  therefore  repre- 
sent a loss  of  protection  that  might  at  some  later  time  affect  operating 
safety.  We  then  examine  the  various  forms  of  preventive  maintenance 
at  our  disposal  to  determine  which  scheduled  tasks  are  essential  and 
must  be  included  in  the  program  to  prevent  critical  failures.  This  exam- 
ination also  tells  us  which  tasks  are  likely  to  accomplish  this  objective  — 
that  is,  what  tasks  can  prevent  all  failures  and  what  tasks  can  merely 
reduce  the  failure  frequency. 

Modem  transport  aircraft  are  subject  to  very  few  critical  failure 
modes  because  the  design  requirements  of  the  FAA,  as  well  as  the  SECTION  »*5  387 
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specifications  of  operating  organizations  and  manufacturers,  have  been 
adjusted  repeatedly  over  the  years  to  overcome  safety  problems  inherent 
in  the  design  as  soon  as  they  became  apparent,  In  the  process,  however, 
equipment  has  become  more  complex,  and  therefore  subject  to  a greater 
number  of  failures  that  do  not  affect  safety.  Current  thinking  on  the 
relationship  between  safety  and  scheduled  maintenance  can  thus  be 
summarized  as  follows: 

► Failures  are  inevitable  in  complex  equipment  and  can  never  be 
entirely  prevented  by  scheduled  maintenance, 

► Reliability  can  usually  be  dissociated  from  safety  by  the  design 
features  of  the  equipment. 

► A failure  is  critical  only  if  loss  of  the  function  in  question  has  a 
direct  adverse  effect  on  operating  safety  or  if  the  failure  mode  that 
causes  a loss  of  function  also  causes  critical  secondary  damage.  Be- 
cause of  this  second  condition,  an  item  can  have  a critical  failure 
mode  even  when  the  loss  of  its  function  is  not  critical. 

► It  is  possible  to  design  equipment  so  that  very  few  of  its  failures 
or  failure  modes  will  be  critical. 

► In  the  few  cases  in  which  critical  failure  modes  cannot  be  overcome 
by  design,  on-condition  tasks  and  sale-life  discard  tasks  can  make 
the  likelihood  of  a critical  failure  extremely  remote. 

Scheduled  overhaul  has  little  or  no  effect  on  the  reliability  of  com- 
plex items.  Rework  tasks  directed  at  specific  failure  modes  can 
reduce  the  frequency  of  failures  resulting  from  those  failure  modes, 
but  the  residual  failure  rate  will  still  represent  an  unacceptable 
risk.  Consequently  scheduled  rework  is  not  effective  protection 
against  critical  failures. 

^ The  technique  of  RCM  analysis  exp'icitly  identifies  those  scheduled 
tasks  which  are  essential  either  to  prevent  critical  failures  or  to 
protect  against  the  possible  consequences  of  a hidden  failure. 

^ Scheduled-maintenance  tasks  that  do  not  relate  to  critical  failures 
have  no  impact  on  operating  safety.  They  do  have  an  impact  on 
operating  costs,  and  their  effectiveness  must  therefore  be  evaluated 
entirely  in  economic  terms. 
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THE  APPLICABILITY  criteria  for  both  scheduled  rework  tasks  and  economic- 
life  tasks  include  two  conditions  which  require  the  use  of  conditional- 
probability  and  survival  curves  derived  ,om  operating  data: 

► There  must  be  an  identifiable  age  at  which  the  item  shows  a rapid 
increase  in  the  conditional  probability  of  failure. 

► A large  proportion  of  the  units  must  survive  to  that  age. 

both  conditions,  of  course,  relate  to  the  question  of  what  good  an  age 
limit  might  do.  In  this  appendix  we  will  consider  the  problems  and 
methods  involved  in  determining  whether  the  failure  behavior  of  an  item 
satisfies  these  conditions.  Although  much  of  the  computation  is  amen- 
able to  computer  applications,  the  discussion  here  is  confined  to  manual 
methods,  both  to  illustrate  the  computational  details  and  to  indicate  the 
areas  in  which  certain  graphical  procedures  have  distinct  advantages 
over  most  available  computer  methods. 

The  development  of  an  age-reliability  relationship,  as  expressed  by 
a curve  representing  the  conditional  probability  of  failure,  requires  a 
considerable  amount  of  data.  When  the  failure  is  one  that  has  serious 
consequences,  this  body  of  data  will  not  exist,  since  preventive  measures 
must,  of  necessity,  be  taken  after  the  first  or  the  first  few  failures.  Thus 
actuarial  analysis  cannot  be  used  to  establish  the  age  limits  of  greatest 
concern  — those  necessary  to  protect  operating  safety.  In  these  cases  we 
must  rely  instead  on  safe-life  limits  established  on  the  basis  of  the 
manufacturer's  test  data.  Fortunately  safe-life  items  arc  single  parts,  and 
the  ages  at  failure  are  grouped  fairly  closely  about  the  average.  How- 
ever, the  test  data  for  long-lived  parts  are  so  scanty  that  we  usually  can- 
not associate  them  with  any  of  the  well-developed  probability  distribu- 
tions. Thus  a safe-life  limit  is  established  by  dividing  the  test  results  by 
some  conservatively  large  arbitrary  factor,  rather  than  by  the  tools  of 
390  APPENDICES  actuarial  analysis. 
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The  same  limitation  applies  to  failures  that  have  serious  operational 
consequences.  The  first  occurrence  of  such  a failure  frequently  requires 
an  immediate  decision  about  protective  action,  without  waiting  for  the 
additional  data  necessary  for  an  actuarial  analysis.  At  the  other  end  of 
the  scale,  there  will  usually  be  a large  body  of  data  available  for  those 
items  whose  failure  has  only  minor  consequences.  Thus  there  is  ample 
material  for  an  actuarial  analysis  to  determine  whether  an  age  limit 
would  be  applicable,  but  far  less  likelihood  that  it  will  meet  the  condi- 
tions for  cost  effectiveness.  The  chief  use  of  actuarial  analysis  is  for 
studying  reliability  problems  in  the  middle  range  — those  failures  which, 
taken  singly,  have  no  overwhelming  consequences,  but  whose  cumula- 
tive effect  can  be  an  important  cost  consideration. 

» 

C • 1 ANALYSIS  OF  LIFE-TEST  DATA 

Actuarial  analysis  is  simplest  when  it  is  based  on  data  obtained  from  a 
life  test.  In  a life  test  a group  of  units  of  a given  item  begin  operation 
simultaneously  under  identical  operating  conditions.  Each  unit  is  then 
permitted  to  operate  until  it  either  fails  or  reaches  the  age  set  as  the  ter- 
mination age  for  the  test.  A life-test  analysis  conducted  on  a set  of  50 
newly  installed  engines  will  illustrate  both  the  utility  and  the  limita lions 
of  this  approach.  The  test  period  in  this  case  was  2,000  operating  hours, 
and  of  the  50  units  that  started,  29  survived  to  the  test-termination  age, 
accumulating  a total  of  58,000  hours  of  operating  experience.  At  various 
times  during  the  test  period,  21  units  failed,  and  these  failed  units 
accumulated  18,076  hours  of  operating  experience.  The  ages  at  failure 
are  listed  in  Exhibit  C.l  in  order  of  increasing  age  at  failure.  It  is  impor- 
tant to  note  that  each  of  the  50  engines  had  an  opportunity  to  survive 
to  2,000  hours.  Some  did  survive,  whereas  others  failed  at  ages  less  than 
2,000  hours. 
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Exhibit  C.l  also  shows  the  proportion  of  units  surviving  after  each 
engine  failure.  The  first  engine  failed  at  an  age  of  4 hours.  The  other  49 
survived  beyond  that  age.  Thus  49/50,  or  0.98,  of  the  engines  survived 
to  an  age  greater  than  4 hours.  Similarly,  48/50,  or  0.96,  of  the  engines 
survived  to  an  age  greater  than  33  hours.  When  the  proportions  sur- 
viving after  the  age  of  each  failure  are  plotted  on  a graph,  as  shown  in 
Exhibit  C.2,  a smooth  curve  drawn  through  the  points  provides  a smooth 
estimate  of  the  proportion  that  would  survive  — the  probability  of 
survival  — at  any  interim  age.  This  smooth  curve  can  also  be  used  to 
estimate  the  probability  of  survival  in  the  population  of  engines  from 
which  the  sample  of  50  was  selected. 

While  this  freehand  piocess  is  likely  to  result  in  slight  differences 
in  the  smooth  curves  drawn  by  different  analysts,  the  curve  is  always 


EXHIBIT  C l I ifc-li'st  experience  In  2,000  hours  with  50  newly 
inst, died  l"s a 1 1 & Whitney  | f8l)-7  engines.  (United  Airlines) 


number  of  units  in  test  50 

number  of  units  surviving  to  2,000  hours  29 

number  of  units  failed  before  2,000  hours  21 

failure  age  of  units  proportion  surviving  failure  age  of  units  proportion  surviving 

that  failed  (hours)  beyond  failure  age  that  failed  (hours)  beyond  failure  age 
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0.86 

1,664 
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Failure  rate  = 21/76,076 
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Mean  time  between  failures  — 76/176/21  — 

3,623  hours 

Average  age  at  failure  = 

= 18,076/21  - 861  hours 
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EXHIBIT  C' 2 A surviv.il  curve  b.isotl  un  the  lite-iest  ri.it.i  in  I xluhit 
CM.  (United  Airlines) 


constrained  by  the  fact  that  the  proportion  surviving  (and  hence  the 
probability  of  survival)  cannot  increase,  so  that  by  definition  the  first 
derivative  must  be  negative.  This  condition  is  generally  sufficient  to 
force  a high  degree  of  conformity,  at  least  in  the  curves  drawn  by 
experienced  analysts. 

In  looking  at  life-test  data  there  is  sometimes  a temptation  to  con- 
centrate on  the  ages  of  the  units  that  failed,  instead  of  balancing  the 
failure  experience  against  the  survival  experience.  For  example,  the 
test  data  in  Exhibit  C.l  show  a mean  time  between  failures  of  3,623 
operating  hours,  although  the  average  age  of  the  failed  engines  was 
only  861  hours.  This  large  difference  results  from  the  test-termination 
age  of  2,000  hours.  If  the  test  had  run  instead  to  a termination  age  of 

3.000  hours,  additional  failures  would  have  occurred  at  ages  greater 
than  2,000  hours,  making  the  average  age  at  failure  much  higher;  in 
contrast,  the  mean  time  between  failures  would  not  be  much  different. 
If  the  life  test  were  permitted  to  continue  until  all  50  of  the  units  failed, 
the  average  age  at  failure  and  the  mean  time  between  failures  would, 
of  course,  be  the  same. 

Caution  must  be  exercised  in  using  life-test  failure  rates  as  esti- 
mates of  what  might  happen  in  the  future.  If  maintenance  practice 
required  the  replacement  of  all  engines  with  new  ones  at  the  end  of 

2.000  hours,  and  if  the  units  in  the  life  test  represented  a random  sample 
of  the  process  that  would  supply  the  replacement  units,  then  the  failure 
rate  of  0.276  per  1,000  operating  hours  would  be  an  accurate  prediction 
for  the  engine  in  Exhibit  C.l.  However,  it  is  far  more  likely  that  expen- 
sive complex  items  will  receive  extensive  corrective  maintenance,  and 
a repaired  unit  may  or  may  not  exhibit  precisely  the  same  failure  rate 
as  a new  one.  Moreover,  as  dominant  failure  modes  are  identified  and 
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corrected,  the  overall  failure  rate  would  be  expected  to  drop.  There  would 
also  be  little  point  in  removing  the  units  that  survived  the  life  test  from 
service  unless  there  were  strong  evidence  that  removal  at  that  age 
would  result  in  some  overall  gain,  such  as  a lower  failure  rate.  Thus  the 
failure  rate  for  a life  test  tells  us  little  more  than  the  simple  fact  that  there 
were  x failures  for  the  number  ot  hours  of  experience  covered  by  the  test. 

The  life-test  approach  has  certain  disadvantages  in  an  operational 
setting.  Usually  it  is  not  possible  to  select  the  test  units  as  a random 
sample  of  the  population,  since  the  objective  of  the  test  is  to  obtain 
information  as  soon  as  possible.  This  means  that  the  study  will  ordi- 
narily be  based  on  the  first  units  to  enter  service.  Also,  it  cannot  be 
terminated  until  each  of  the  selected  units  has  reached  the  specified 
age  — that  is,  until  the  last  unit  installed  has  reached  the  test-termination 
age.  The  analysis  can  be  advanced,  of  course,  either  by  reducing  the 
number  of  units  in  the  study  or  by  reducing  the  length  of  the  test 
period.  Reducing  the  number  of  units  covered  increases  the  likelihood 
of  being  misled  by  sampling  effects.  Reducing  the  termination  age 
for  the  test  results  in  disregarding  part  of  the  available  information  — 
the  actual  experience  at  ages  greater  than  the  test-termination  age. 


EXHIBIT  C'3  An  example  of  the  information  excluded  by  life-test 
data.  Although  information  is  available  on  unit  4,  which  replaced 
failed  unit  2,  this  unit  will  not  have  aged  to  2,000  hours  by  the 
termination  age,  and  hence  cannot  be  taken  into  account. 
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Exhibit  C.3  illustrates  another  reason  that  certain  available  infor- 
mation cannot  be  used  if  operating  data  are  used  to  simulate  a life 
test.  Suppose  units  1 and  3 survive  to  the  test-termination  age,  and 
unit  2 fails.  In  actual  operations  this  failed  unit  will  be  replaced  by 
unit  4,  which  will  age  in  service  but  will  not  have  reached  2,000  hours 
by  the  time  units  1 and  3 reach  the  termination  age.  Thus,  although  the 
experience  of  unit  4 is  available,  it  cannot  be  considered  in  a life-test 
format.  The  fact  that  this  type  of  analysis  does  not  permit  us  to  use  all 
the  available  information  is  sufficient  reason  in  itself  to  consider  other 
methods  of  analysis  that  do  not  have  this  shortcoming. 

Life-test  analysis  has  one  further  shortcoming  from  the  standpoint 
of  an  operating  organization.  If  there  are  reliability  problems,  the  opera- 
tor will  initiate  product-improvement  programs  and  is  interested  in 
determining  as  quickly  as  possible  whether  such  programs  are  success- 
ful. This  interest  may  be  as  great  as  the  interest  in  age-reliability  rela- 
tionships as  such.  For  this  reason  procedures  for  analysis  have  been 
developed  which  use  operating  data  derived  from  experience  over  a 
relatively  short  calendar  period. 


C • 2 ANALYSIS  OF  DATA  FROM  A DEFINED 
CALENDAR  PERIOD 

The  first  step  in  analyzing  operating  data  over  a defined  calendar  period 
is  to  define  the  length  of  the  period.  The  choice  of  an  appropriate  study 
period  is  always  a compromise  between  two  factors.  On  the  one  hand, 
a short  period  is  desirable  to  expedite  decision  making  and  to  minimize 
the  effects  of  changes  in  the  character  of  the  units  and  the  external 
environment.  On  the  other  hand,  a short  period  limits  the  amount  of 
operating  experience  and  failure  data  that  can  be  considered.  The  rela- 
tive magnitude  of  sampling  effects  is  a function  of  the  number  of  failures 
and  increases  as  the  number  of  failures  decreases.  Experience  suggests 
that  the  calendar  period  selected  for  any  item  should  be  long  enough  to 
include  at  least  20  failure  events. 

Once  the  period  has  been  defined,  the  following  data  must  be 
obtained. 

► The  age  and  identity  of  each  unit  of  an  item  that  was  in  operation  at 
the  beginning  of  the  calendar  period 

► The  age  and  identity  of  each  unit  of  an  item  that  was  still  in  opera- 
tion at  the  end  of  the  calendar  period 

► The  age  and  identity  of  each  unit  that  was  removed  from  operation 
during  the  calendar  period  and  the  reason  for  removal  (failure  of 
this  unit  or  removal  for  some  other  reason) 
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► The  age  and  identity  of  each  replacement  unit  that  was  installed 

during  the  calendar  period 

Notice  the  emphasis  on  unit  identification.  Reliability  analysis  is 
greatly  facilitated  by  giving  each  unit  a unique  serial  number.  Exhibit 
C.4  describes  the  operating  history  of  seven  such  units  over  a three- 
month  calendar  period.  The  same  information  is  displayed  in  Exhibit 
C.5.  Each  horizontal  line  in  the  first  graph  represents  a unit's  operating 
position  on  a piece  of  equipment.  If  the  history  for  all  units  wtre  plotted, 
an  installation  would  follow  the  removal  of  unit  5810  on  May  4.  Similarly, 
a removal  would  precede  the  installation  of  unit  5880  on  May  27— 
unless  that  line  represented  equipment  that  first  entered  service  on 
that  date.  Lack  of  continuity  on  any  line  is  an  indication  that  unit  life 
histories  are  missing.  The  second  graph  shows  the  relationship  between 
events  and  the  operating  ages  of  the  units. 

Briefly,  then,  what  happens  during  a fixed  calendar  period  is  this: 
A certain  number  of  units,  of  varying  ages,  enter  the  study  period  in 
service;  these  units  build  up  time,  with  some  continuing  in  operation 
over  the  entire  period  and  others  being  withdrawn  from  service,  either 
because  they  have  failed  or  for  some  other  reason.  New  units  enter 
service  to  replace  the  ones  that  have  been  removed,  and  these  new 
units  also  accumulate  operating  experience  during  that  time;  some  of 
these  may  also  be  removed  before  the  end  of  the  calendar  period  and 
replaced,  in  turn,  by  other  new  units.  From  this  picture  we  want  to 


EXHIBIT  C-4  Operating  history  of  seven  units  from  May  1 to  July  31, 
M74.  (United  Airlines) 
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EXHIBIT  C-5  Operating  history  of  the  seven  units  in  Exhibit  C.4 
shown  as  a function  of  calendar  time  (top)  and  as  a function  of 
operating  age  (bottom).  (United  Airlines) 
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determine  what  proportion  of  the  units  failed  prior  to  a given  age  and 
what  proportion  survived. 

The  first  step  in  an  actuarial  analysis  is  to  break  the  total  lifetime 
of  the  oldest  unit  down  into  age  intervals.  These  may  be  age  cells  of 
any  length,  but  a reasonable  rule  of  thumb  is  to  have  fewer  age  intervals 
than  there  are  failures  (otherwise  many  of  the  intervals  will  have  zero 
failures).  In  the  situation  described  in  Exhibit  C.6,  for  example,  the 
oldest  engine  in  the  study  was  less  than  5,400  hours  old,  and  there  were 
30  verified  failures  during  the  three-month  study  period;  hence  we  can 
use  200-hour  age  intervals.  The  total  age  range  can  then  be  viewed  as  a 
series  of  discrete  intervals  — 0-200  hours,  201-400  hours,  401-600  hours, 
and  so  on  — and  the  aging  process  consists  of  a series  of  trials  to  traverse 
each  successive  interval.  Thus  the  first  trial  for  a newly  installed  unit  is 
to  traverse  the  0-200-hour  interval.  If  the  unit  fails  prior  to  200  hours, 
the  trial  is  unsuccessful.  If  the  unit  survives  this  interval,  its  next  trial 
is  to  traverse  the  201 -400-hour  interval.  There  are  only  two  possible 
outcomes  for  any  trial:  a successful  traverse  or  a failure. 

The  ratio  of  failures  during  an  interval  to  the  number  of  trials  at  that 
interval  is  the  conditional  probability  of  failure  during  that  age  interval— 
that  is,  it  is  the  probability  of  failure,  given  the  condition  that  a unit 
enters  that  interval.  The  ratio  of  successful  traverses  across  an  interval 
to  the  number  of  trials  at  that  interval  is  the  conditional  probability  of 
survival  across  that  age  interval. 

A trial  is  counted  as  a whole  trial  under  three  circumstances: 

► A unit  enters  an  interval  and  makes  a successful  traverse. 

► A unit  enters  an  interval  and  fails  in  that  interval. 

► A unit  starts  in  an  interval  and  fails  in  that  interval. 

A trial  is  counted  as  a fractional  trial  when: 

► A unit  enters  an  interval  and  is  removed  during  that  interval  with- 
out failure. 

► A unit  stai 's  in  an  interval  and  either  makes,  a successful  traverse  or 
is  removed  during  that  interval  without  failure. 

Each  fractional  trial  is  counted  as  half  of  a whole  trial  — which  it  is,  on 
the  average. 

Consider  the  0-200-hour  age  interval.  Some  of  the  units  that  were 
in  that  age  interval  on  May  1 and  some  of  the  units  that  entered  it  after 
May  1 failed.  Others  made  a successful  traverse  and  survived  to  enter 
the  next  interval,  201-400  hours.  The  number  that  entered  this  next 
interval  is  the  number  that  were  either  in  the  0-200-hour  interval  on 
May  1 or  entered  it  after  that  date,  less  the  number  of  removals  and  the 
number  of  units  which  were  still  in  that  interval  on  July  31.  In  other 
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EXHIBIT  C-6  Procedure  followed  in  an  actuarial  analysis  of  operating 
experience  with  the  Pratt  & Whitney  JTBD-7  engine  on  the  Boeing  737 
from  May  1 to  July  31,  1974.  (United  Airlines) 
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2300 

40,700 

1,401-1,600 

13 

6 

3 

1 

0 

15 

14.0 

2,800 

43,500 

1,601-1,800 

15 

8 

7 

3 

3 

18 

15.5 

2300 

46,300 

1301-2,000 

13 

3 

2 

6 

3 

21 

12.0 

2,100 

48,400 

2,001-2,200 

8 

5 

5 

1 

1 

22 

8.0 

1300 

49,900 

2,201-2,400 

7 

7 

1 

1 

1 

23 

10.0 

1,900 

51300 

2,401-2,600 

12 

5 

2 

5 

2 

28 

12.0 

2,200 

54,000 

2,601-2,800 

10 

2 

4 

3 

1 

26 

8.0 

1300 

55,500 

2^01-3,000 

5 

3 

4 

1 

0 

26 

4.0 

800 

56,300 

3,001-3,200 

3 

0 

0 

1 

1 

27 

3.0 

500 

56300 

3,201-3,400 

2 

3 

2 

1 

1 

28 

.".5 

400 

57,200 

3,401-3,600 

2 

0 

0 

1 

1 

29 

2.0 

300 

57300 

3,601-3300 

1 

1 

0 

0 

0 

29 

1.5 

300 

57300 

3301-4,000 

2 

0 

1 

0 

0 

29 

1.5 

300 

58,100 

4,001-4300 

1 

0 

1 

0 . 

0 

29 

0.5 

100 

58,200 

4,201-4,400 

0 

0 

0 

0 

0 

29 

0.0 

000 

58,200 

4,401-4,600 

0 

0 

0 

0 

0 

29 

0.0 

000 

58,200 

4,601-4,800 

0 

0 

0 

0 

0 

29 

0.0 

000 

58,200 

4301-5,000 

0 

1 

0 

0 

0 

29 

0.5 

too 

58300 

5,001-5,200 

1 

0 

0 

1 

1 

30 

1.0 

.00 

58,400 

5,201-5,400 

0 

0 

0 

0 

0 

30 

0.0 

000 

58,400 

42  30 


* dt‘ 


words,  referring  to  the  column  numbers  in  Exhibit  C.6,  the  number  of 
units  that  leaves  any  age  interval  to  enter  the  next  higher  age  interval  is 
computed  as 

col  2 + col  3 - col  4 — col  5 

Note  that  whenever  a unit  is  removed,  the  replacement  unit,  which 
has  just  come  out  of  the  shop,  enters  the  0-200-hour  interval  at  an  age 
of  0 hours.  There  were  42  units  removed  from  service  during  the  study 
period,  30  caused  by  failures  and  12  for  other  reasons.  This  means  that 
42  units  entered  the  0-200-hour  interval  as  new  units.  The  number 
entering  each  of  the  other  intervals  must  be  calculated  from  the  equation 
above. 

Now  we  must  calculate  the  trials  associated  with  each  age  interval. 
The  number  of  traverses  of  the  upper  boundary  of  an  interval  is  greater 
than  the  number  of  successes  during  the  calendar  period,  because  those 
units  that  were  already  in  that  interval  on  May  1 had,  on  the  average, 
each  completed  half  a trial.  The  number  of  trials  associated  with  the 
successful  traverses  is  therefore 

(col  2 + col  3 - col  4 - col  5)  - = col  2 + - col  4 - col  5 


Each  engine  failure  counts  as  a full  trial.  The  engine  removals  that 
were  not  associated  with  failures  and  the  units  that  were  still  in  the 
age  interval  on  July  31  are  counted  as  fractional  trials.  The  total  number 
of  trials  associated  with  an  age  interval  is 

, „ , col  3 , . , _ . col  5 — col  6 . col  4 

col  2 -I — col  4 — col  5 + col  6 H 1 — ;j— 

, „ . col  3 col  4 col  5 , col  6 
= col  2 + — r r r + r 


Each  trial  associated  with  a successful  traverse  represented  200 
hours  of  operating  experience.  Each  engine  removal  and  each  unit  still 
in  the  interval  on  July  31  therefore  represents  an  average  of  100  hours  of 
operating  experience.  Consequently  the  operating  experience  repre- 
sented by  an  age  interval  is  computed  as 


200  X 


[(' 


col  2 + - col  4 


, i /co1  5 , col  4\" 

c°15j  ' + — jj 


= 200  X col  2 + 


c 


col  3 

col  4 

col  5 

2 

2 

2 

The  next  step  is  calculation  of  the  proportion  of  the  trials  that  end 
in  successful  traverses  of  each  age  interval  and  the  proportion  that  result 
in  failure  in  each  interval.  The  results  of  these  calculations  are  shown  in 
Exhibit  C.7.  The  proportion  of  units  surviving  or  failing  in  a given  age 
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EXHIBIT  C-7  Survival  characteristic!)  of  the  Pratt  & Whitney  JT8D-7 
engine  nn  the  Boeing  737  during  the  period  May  1 to  July  31,  1974. 
(United  Airlines) 


«g« 

Interval 

no.  of 
trial  a 

no.  of 
failures 

proportion 

surviving 

cumulative 

probability 

proportion 

failing 

cumulative 
failure  no. 

(1) 

(2) 

(3) 

(4) 

(5) 

(6) 

(7) 

0—  2lo 

43.o 

4 

0.908 

0.908 

0.092 

0.092 

201-  400 

40.0 

3 

0.925 

0.840 

0.075 

0.167 

401-  600 

36.5 

1 

0.973 

0.817 

0.027 

0.194 

601-  800 

35.0 

4 

0.886 

3.724 

0.114 

0.308 

801-1,000 

25.0 

2 

0.920 

0.666 

0.080 

0.388 

1,001-1,200 

17.0 

1 

0.941 

0.627 

0.059 

0.447 

1,201—1,400 

14.0 

0 

1.000 

0.627 

0.000 

0.447 

1,401-1,600 

14.0 

0 

1.000 

0.627 

0.000 

0.447 

1,601-1,800 

15.5 

3 

0.806 

0.505 

0.194 

0.641 

1,801-2,000 

12.0 

3 

0.750 

0.379 

0.250 

0.891 

2,001-2,200 

8.0 

1 

0.875 

0.332 

0.125 

1.016 

2,201-2,400 

10.0 

1 

0.900 

0.298 

0.100 

1.116 

2/401-2,600 

12.0 

2 

0.833 

0.249 

0.167 

1.283 

2,601—2,800 

8.0 

1 

0.875 

0.217 

0.125 

1.408 

2301-3,000 

4.0 

0 

1.000 

0.217 

0.000 

1.408 

3301-3,200 

3.0 

1 

0.667 

0.145 

0.333 

1.741 

3301-3,400 

2.5 

1 

0.600 

0.087 

0.400 

2.141 

3,401-3,600 

2.0 

1 

0.500 

0.044 

0.500 

2.641 

3,601-3300 

1.5 

0 

1.000 

0.044 

0.000 

2.641 

3301-4,000 

1.5 

0 

1.000 

0.014 

U.000 

2.  ‘41 

4,001-4300 

0.5 

0 

1.CO0 

0.044 

0.000 

2.641 

4,201-4,400 

0.0 

0 

— 

— 

— 

— 

4,401-4,600 

0.0 

0 

— 

— 

— 

— 

4301-4300 

0.0 

0 

— 

— 

— 

— 

4301-5,000 

0.5 

0 

1.000 

0.044 

0.000 

2.641 

5,001-5,200 

1.0 

1 

0.000 

eooo 

1.000 

3.641 

5,201-5,400 

0.0 

0 

0.000 

0.000 

0.000 

3.641 

\ 


interval  are  considered  to  be  estimates  of  the  respective  probabilities. 

, The  cumulative  probability  of  survival  to  the  end  of  any  interval  is  the 
product  of  the  survival  probabilities  for  all  preceding  intervals  and  the 
probability  of  survival  across  the  interval  in  question.  Similarly,  the 
cumulative  failure  number  for  the  end  of  any  age  interval  is  the  sum 
of  the  probabilities  of  failure  in  all  preceding  intervals  and  the  prob- 
ability of  failure  in  this  interval.  The  cumulative  fai'ure  number  is  not  a 
probability,  It  can  be  considered  to  represent  tht  average  number  of 
failures  which  would  occur  if  single  trials  were  made  to  traverse  the 
selected  interval  and  each  of  the  earlier  intervals. 

The  occurrence  of  a failure  in  any  interval  is  a random  event.  Thus 
it  is  possible  tc  have  a number  of  failures  in  one  age  interval,  none  in 
the  next,  and  a few  again  in  the  next.  Our  concern  with  the  age-reli ability 
relationship  is  the  possibility  that  the  failure  rate  may  increase  signifi- 
cantly with  age,  and  if  it  does,  we  may  wish  to  evaluate  the  utility  of  an 
age  limit  for  the  item  in  question.  (Infant  mortality  is  also  a concern, 
but  this  is  a different  and  much  simpler  problem,  since  it  occurs  quickly, 
if  at  all,  and  there  is  an  abundance  of  data  available  for  study.)  Thus 
local  variations  in  the  failure  rate  are  of  little  interest.  This  implies  that 
we  will  have  to  smooth  the  data  to  reduce  the  effect  of  the  random  time 
occurrences  of  the  failures. 


C • 3 THE  SMOOTHING  PROBLEM 

The  conditional  probability  of  failure  is  simply  the  ratio  of  the  number 
of  failures  in  a given  age  interval  to  the  number  of  units  that  attempt 
that  interval.  In  an  actuarial  study  this  represents  the  proportion  of  the 
units  entering  each  ago  interval  that  fail  during  that  interval,  as  shown 
in  column  6 of  Exhibit  C.7.  The  proportions  vary  from  0 to  1,  and  as 
expected,  this  variation  tends  to  increase  as  the  number  of  units  in  the 
interval  decreases. 

The  data  for  the  engine  under  study  suggest  a relatively  high  failure 
rate  at  low  ages  (infant  mortality),  a lower  rate  at  the  middle  ages,  and 
a higher  rate  at  the  higher  ages.  This  last  possibility  is  of  particular 
interest  because  of  its  implications  for  scheduled  rework  and  economic- 
life-limit  tasks  There  are  several  ways  of  analyzing  the  data  to  try  to 
clarify  the  picture: 

► We  can  smooth  the  data  through  some  standard  smoothing  proce- 
dure, such  as  a moving  average  or  exponential  smoothing. 

► We  can  increase  the  length  of  the  age  intervals,  which  would 
increase  the  number  of  failures  per  interval,  and  thus  reduce  the 
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► We  can  construct  cumulative  graphs  of  the  data  in  any  of  several 
wavs  and  simply  draw  a smooth  curve  through  the  data  points. 

The  first  of  these  procedures  will  not  be  discussed  here,  since  it 
is  well-covered  by  the  literature.  The  second  smoothing  procedure- 
increasing  the  age  interval  in  such  a vay  that  each  interval  has  approxi- 
mately the  same  amount  of  unit  experience— is  somewhat  more  com- 
mon. One  such  grouping,  for  . ample,  yields  the  following  results: 


it, iff  interval  f-.u]ur 

0-400  7 

400-800  5 

800-1,600  3 

1,600-5,200  15 


failure  rate 

'petience  (per  100  hours) 
16,000  0.044 

13,800  0.036 

13,700  0.022 

14,900  0.101 


This  grouping  of  the  data  suggests  a linearly  decreasing  failure  rate  for 
the  first  1,600  hours,  followed  by  a very  sharp  increase  immediately  after 
this  age.  The  intervals  might  also  be  adjusted  as  follows: 


age  inh  rval  failures 
0-400  7 

400-1,200  8 

1,200-5,200  15 


failure  rate 

experience  (per  100  hours) 
16,000  0.044 

21,900  0.037 

20,500  0.073 


In  this  case  the  data  suggest  a more  moderate  initial  decrease  in  failure 
rate,  followed  by  a more  moderate  increase  starting  at  1.200  hours  (rather 
than  1,600  hours).  Other  choices  would  lead  to  still  other  variations  of 
this  sort.  Age  grouping  is  simple  and  the  statistical  interpretation  is 
straightforward.  However,  it  is  obvious  from  the  examples  above  that 
the  interpretation  is  highly  dependent  on  the  grouping  process. 

The  chief  problem  in  representing  failure  data  is  to  reduce  the  appar- 
ent variations  so  that  different  analysts  will  come  to  similar  conclusions. 
A common  engineering  procedure  to  accomplish  this  is  to  cumulate  the 
data  and  then  graph  the  cumulative  values.  There  are  three  methods  in 
general  use,  although  all  three  have  the  limitation  that  they  do  not 
explicitly  take  into  account  the  varying  amounts  of  unit  experience  in 
different  age  intervals.  For  example,  the  engine  data  in  Exhibit  C.6  show 
much  more  experience  in  the  earlier  age  intervals  than  in  the  later  ones  — 
and  this  will  necessarily  he  the  case  whenever  failed  units  are  automat- 
ically replaced  by  units  with  zero  age.  Thus  the  trial  count  in  Exhibit 
C.7  ranges  from  43.5  to  35  trials  in  the  first  four  age  intervals,  whereas 
in  the  later  intervals  the  number  of  trials  was  as  small  as  4 or  2,  or  even  0. 
This  kind  of  variation  in  unit  experience  makes  it  more  difficult  to  assess 
the  validity  of  the  pattern  suggested  by  a smooth  curve. 


-WTT 


1,1 


One  method  of  cumulating  the  data  is  to  multiply  tne  proportions 
surviving  successive  age  intervals  to  obtain  the  cumulative  probability 
of  survival  for  each  interval  (column  5 in  Exhibit  C.7),  draw  a smooth 
survival  curve  through  the  points  (as  shown  in  Exhibit  C.2),  and  then 
compute  the  conditional  probability  of  failure  for  each  interval  from  the 
simple  formula 

I probability  of  \ _ / probability  of  \ 
Conditional  probability  _ \enterinq  interval/  ysurviving  interval/ 
of  failure  in  interval  probability  of  entering  interval 

This  procedure  breaks  down,  of  course,  when  we  reach  an  interval  in 
which  all  the  units  fail  (because  the  proportion  surviving  is  zero).  How- 
ever, the  likelihoo  that  all  the  units  in  an  interval  will  fail  is  small 
unless  the  number  of  units  in  that  interval  is  itself  small.  With  the  engine 
described  in  Exhibits  C.6  and  C,7  this  happens  for  the  first  time  in  the 
5, 000-5, 200-hour  interval,  which  contains  only  one  unit.  If,  as  some- 
times happens,  we  had  had  failure  data  beyond  this  age  interval,  a 
smoothing  procedure  that  relies  on  multiplication  would  not  have  per- 
mitted us  to  use  it. 

Another  method  makes  use  of  the  cumulative  failure  number  (col- 
umn 7 in  Exhibit  C.7).  This  number,  at  the  end  of  a given  interval  it 
the  sum  of  the  probabilities  of  failure  in  all  preceding  intervals  and 
the  probability  of  failure  in  the  interval  in  question.  Remember  that  the 
cumulative  failure  number  is  not  itself  a probability;  it  represents  Ihe 
average  number  of  failures  that  would  occur  if  single  trials  were  made 
to  traverse  the  selected  interval  and  each  of  the  earlier  intervals.  Exhibit 
C.8  shows  the  cumulative  failure  numbers  at  the  end  of  each  age  inter- 

EXHIBtT  C'8  The  cumulative  failure  number  for  the  Pratt  & Whitney 
JT8U-7  engine  on  the  Boeing  737.  (United  Airlines) 
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Cumulative  unit  experience  (hour*) 

EXHIBIT  C'  9 A simple  method  for  determining  the  age-reliability 
relationship  of  the  Pratt  & Whitney  JT8D-7  engine.  The  slope  of  the 
smooth  curve  at  any  operating  ages  is  a measure  of  the  conditional 
probability  of  failure  at  that  age.  (United  Airlines) 


val  plotted  as  a function  of  operating  age,  with  a smooth  curve  drawn 
through  the  points.  The  conditional  probability  of  failure  in  an  interval 
is  the  difference  between  the  cumulative  failure  numbers  at  the  end  and 
the  beginning  of  the  interval.  For  example,  from  Exhibit  C.8,  the 
smoothed  cumulative  failure  number  at  the  end  of  1,000  hours  is  0.395 
and  at  the  end  of  800  hours  it  is  0.310.  Thus  the  conditional  probability 
of  failure  in  the  801-1,000-hour  interval  is  .395  — .310  = .085,  or  at  900 
hours  (midinterval),  .085/2  — .042  per  100  hours. 

This  procedure  differs  from  the  previous  one  in  terms  of  the  quan- 
tity that  is  being  smoothed  The  precise  difference  cannot  be  pinned 
down  if  the  graphing  is  done  manually,  since  there  is  no  way  to  tell 
with  either  method  precisely  how  the  experienced  analyst  is  weighting 
the  two  factors  when  he  draws  the  smooth  curve.  The  procedure  is 
primarily  additive,  however,  so  that  there  is  no  difficulty  in  treating 
intervals  in  which  all  units  fail. 

A third  method  is  to  plot  the  cumulative  number  of  failures  by  the 
end  of  each  interval  against  the  cumulative  experience  by  the  end  of 
that  interval.  The  values  for  both  of  these  variables  are  listed  in  Exhibit 
C.6,  and  the  resulting  plot  is  shown  in  Exhibit  C.9.  The  slope  of  the 
smooth  curve  at  any  age  is  the  conditional  probability  of  failure  asso- 
ciated with  that  age.  There  is  a temptation  in  fhis  case  to  represent  the 
plotted  points  by  three  straight  line  segments  — one  from  0 to  200  hours, 
another  from  200  to  1 .800  hours,  and  a third  from  1,800  to  5,200  hours. 
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Such  straight  line  segments  would  lead  to  the  following  conditional 
probabilities  of  failure: 

conditional  probability 

operating  age  (hours)  of  failure  (per  100  hours) 

0-200  .048 

200-1,800  .037 

1,800-5,200  .100 


This  construction  suggests  abrupt  changes  in  the  conditional  probability 
of  failure  at  200  hours  and  again  at  1,800  hours.  While  it  is  conceivable 
that  dominant  failure  modes  might  be  dispersed  about  these  average 
ages,  it  is  highly  unlikely  that  there  are  actual  discontinuities  in  the 
conditional  probability  of  failure. 

The  discontinuities  can  be  avoided  simply  by  drawing  a smooth 
curve  instead  of  straight  line  segments  through  the  plotted  points  (the 
black  curve  in  Exhibit  C.9).  Conditional  probabilities  can  then  be 
obtained  from  the  smooth  curve  by  drawing  tangents  to  it  at  various 
operating  ages.  Typical  results  are  as  follows: 

conditional  probability 

operating  age  (hours)  of  failure  (per  100  hours) 

0 .050 

200  .042 

400  .038 

600  .036 

1,600  .049 

The  conditional-probability  curve  obtained  by  plotting  the  conditional 
probability  of  failure  as  a function  of  operating  age  is  shown  in  Ex- 
hibit C.10. 

The  average  conditional  probability  of  failure  in  the  interval  from 
0 to  200  hours  is  .046  (at  the  midpoint  of  this  interval);  hence  the  prob- 
ability that  an  engine  will  not  survive  to  200  hours  is  2 X .046  = .092,  and 
the  probability  that  it  will  survive  is  1 — .092=  .908.  Similarly,  the  prob- 
ability that  an  engine  which  has  survived  to  200  hours  will  continue  to 
survive  to  400  hours  is  1 — (2  x .040)  = .920.  The  probability  that  an 
engine  will  survive  both  the  0-200  and  the  201-400-hour  age  intervals 
is  the  product  of  both  these  probabilities,  or  .908  X .920  = .835.  A plot 
of  the  survival  curve  for  this  extended  example  is  also  shown  in  Exhibit 
C.10.  Both  the  conditional-probability  curve  and  the  survival  curve  are 
broken  at  ages  above  2,600  hours  as  a warning  that  the  levels  of  the 
curves  are  not  well-established  beyond  that  age.  (The  choice  of  2,600 
hours  as  a caution  point  is  arbitrary.) 

This  third  procedure  for  computing  conditional  and  survival  prob- 


I t—ii. . ... 


■$ 


.10 


500  WOO  UOO  2,000 

Operating  age  (hour*) 


2^00 


3,000 


Operating  age  (hours) 


EXHIBIT  C*I0  Conditional-probability  and  survival  curves  derived 
from  the  smooth  curve  in  Exhibit  C.9. 


abilities  allows  the  analyst  to  assess  the  varying  numbers  of  failures  and 
trials,  and  hence  to  judge  reasonably  well  what  portion  of  the  data  is 
well-defined  and  what  portion  is  more  (.(Uestionable.  The  smoothing 
that  does  occur,  while  still  subject  to  the  variations  of  freehand  con- 
struction, will  usually  lead  to  nearly  identical  results  for  the  same  data. 

Exhibit  C.ll  shows  conditional-probability  curves  obtained  by  all 
three  methods,  as  an  indication  of  the  consistency  of  the  curve  that  will 
result,  regardless  of  the  procedure  followed.  The  histogram  below  this 
graph  is  a convenient  way  of  displaying  the  experience  on  which  the 
analysis  was  based.  The  vertical  bars  ..how  the  volume  of  operation  in 
each  age  interval,  and  number  above  each  bar  is  the  number  of  failures 
that  occurred  in  that  interval.  A failure  rate  can  be  calculated  for  each  age 
interval.  These  failure  rates  are  shown  as  data  points  on  the  conditional- 
probability  graph,  but  it  would  be  difficult  to  fair  a curve  through  them 
and  define  a trend.  The  actuarial  procedures  we  have  discussed  over- 
come this  difficulty. 
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EXHIBIT  C'll  A comparison  of  conditional-probability  curves  derived 
by  three  different  methods.  The  bar  chart  shows  the  distribution  of 
operating  experience  on  which  all  three  analyses  were  based. 


C • 4 ANALYSIS  OF  A MIXED  POPULATION 

The  data  used  in  the  preceding  analyses  pertain  to  an  engine  that  is  not 
subject  to  scheduled  removals.  Each  engine  remains  in  service  until  an 
unsatisfactory  condition  is  detected,  either  by  the  maintenance  crew  or 
by  the  operating  crew.  At  that  time  the  engine  is  removed  and  sent  to 
the  shop  for  corrective  maintenance.  Since  extensive  work  may  be  done 
on  the  engine  while  it  is  in  the  shop,  this  repair  process  is  considered 
to  zero-time  the  engine.  Its  operating  age  is  thus  measured  as  engine 
time  since  the  last  shop  visit— that  is,  as  the  time  since  the  last  repair— 
and  all  engines  are  treated  as  members  of  a single  population. 

When  an  engine  is  subject  to  a limit  on  maximum  permissible 
operating  age,  it  is  assumed  that  complete  overhaul  of  a unit  that  was 
408  APPENDICES  operating  satisfactorily  will  also  reestablish  its  age  at  zero.  In  the  text 
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discussion  concerning  the  effects  of  an  age  limit  (Section  2.7),  it  was 
further  assumed  that  both  repaired  and  reworked  engines  have  the  same 
age-reliability  characteristics.  This  assumption  is  equivalent  to  saying 
that  both  are  members  of  the  same  population.  Suppose  we  want  to  test 
the  validity  of  this  assumption.  In  that  case  our  analytic  techniques 
must  allow  for  the  possibility  that  the  two  shop  processes  may  result 
in  different  age-reliability  characteristics.  This  can  be  done  by  treating 
the  total  population  of  engines  as  a mixed  population. 

At  one  time  it  was  believed  that  overhaul  of  a turbine  engine  prior 
to  a specified  operating  age  played  a major  role  in  controlling  reliability. 
On  this  basis  a complete  overhaul  was  the  only  process  considered  to 
zero-time  the  engine,  and  operating  age  was  measured  as  the  time  since 
overhual  (TSO).  Under  this  policy  an  engine  removed  prematurely  for 
corrective  maintenance  was  repaired  and  returned  to  service,  but  was 
considered  to  have  experienced  no  change  in  its  operating  age.  Two 
factors,  however,  might  result  in  premature  overhauls—  overhauls  before 
the  scheduled  removal  age: 

► The  occurrence  of  a failure  in  the  last  20  to  25  percent  of  the  per- 
missible operating  age,  in  which  case  a complete  overhaul  during 
this  shop  visit  would  avoid  the  need  for  a scheduled  removal  soon 
after  the  repaired  engine  was  reinstalled 

► A failure  requiring  such  extensive  repairs  that  it  would  be  econom- 
ically desirable  to  do  the  additional  work  needed  for  a complete 
overhaul,  regardless  of  the  age  of  the  engine 

Under  these  circumstances  the  results  of  an  actuarial  analysis  of  a mixed 
population  would  have  to  show  survival  curves,  probability-density 
curves,  and  conditional-probability  curves  for  three  variables  — failures, 
repairs,  and  overhauls. 

The  analysis  of  a mixed  population  requires  very  little  change  from 
the  method  discussed  in  Section  C.3.  It  is  necessary  only  to  plot  the 
cumulative  number  of  repairs  and  the  cumulative  number  of  overhauls 
for  each  age  interval  as  a function  of  the  cumulative  experience  for  that 
interval.  Exhibit  C.12  shows  the  results  for  a hypothetical  analysis  of 
a mixed  population  subject  to  an  overhaul  age  limit  of  2,500  hours. 
The  conditional-probability  curves  show  the  probability  of  failure  at  all 
ages  up  to  the  2,500-hour  limit  and  the  probability  of  premature  overhaul 
of  the  units  that  fail.  Below  2,000  hours  most  of  the  failed  units  are 
repaired  and  returned  to  service  without  overhaul;  after  2,000  hours  all 
failures  become  premature  overhauls.  The  survival  curves  show'  that 
the  probability  of  survival  without  overhaul  decreases  slowly  up  to 
2,000  hours;  thereafter  it  decreases  at  exactly  the  same  rate  ns  the  prob- 
ability of  survival  without  failure.  The  probability  of  survival  without 
repair  is  higher  than  the  probability  of  survival  without  failure,  since 
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EXHIBIT  C-12  Hypothetical  results  of  an  actuarial  analysis  of  a mixed 
population  subject  to  a scheduled  rework  task. 

some  failures  will  result  in  premature  overhauls  before  2,000  hours;  after 
2,000  hours  the  probability  of  survival  without  repair  remains  constant, 
since  all  failed  units  after  that  age  are  overhauled. 

Actuarial  analysis  of  a mixed  population  requires  a number  of 
detailed  but  simple  changes  in  the  format  outlined  in  Exhibits  C.6  and 
C.7.  The  following  adjustments  are  necessary  in  Exhibit  C.6: 

► Column  2,  which  shows  the  number  of  units  entering  an  age  inter- 
val, must  take  into  account  reinstallation  of  a repaired  unit,  as  well 
as  entry  of  a unit  from  the  preceding  interval. 

► The  failure  count  in  column  6 must  be  partitioned  into  the  number 
of  failed  units  that  are  repaired  and  the  number  of  failed  units  that 
are  overhauled. 

► The  trial  count  in  column  8 must  be  adjusted  to  account  for  the 
experience  of  repaired  units  that  are  reinstalled  during  the  study 
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it  was  installed  counts  as  a whole  trial;  if  the  unit  survives  to  leave 
this  interval,  this  experience  counts  as  a fractional  trial. 


Similar  changes  are  necessary  in  the  details  of  Exhibit  C.7: 
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The  failure  number  must  be  partitioned  into  failed  units  that  are 
repaired  and  failed  units  that  are  overhauled. 

The  probabilities  of  survival,  both  for  each  interval  and  cumulative, 
must  be  partitioned  into  survival  without  overhaul,  survival  with- 
out repair,  and  survival  without  failure. 

The  calculations  to  determine  the  probability  of  failure  in  each 
interval  must  be  repeated  to  obtain  the  probability  of  a repair  in 
each  interval. 

A cumulative  repair  number,  like  the  cumulative  failure  number, 
must  be  calculated  for  the  end  of  each  age  interval.  This  number 
will  be  less  than  the  cumulative  failure  number.  The  difference 
between  these  two  numbers  is  the  probability  of  an  overhaul  and 
the  complement  of  the  cumulative  probability  of  survival  without 
overhaul  for  the  corresponding  interval 


C * 5 USEFUL  PROBABILITY  DISTRIBUTIONS 

At  certain  stages  of  an  actuarial  analysis  curves  are  faired  through  sets 
of  data  or  calculated  points,  and  subsequent  calculations  are  then  based 
on  numerical  values  read  from  these  curves.  This  curve-fitting  tech- 
nique is  not  mathematically  precise,  and  one  feels  somewhat  uncom- 
fortable using  extrapolations  from  such  curves.  In  many  cases  it  is 
possible  to  model  age-reliability  relationships  by  the  mathematical 
functions  which  represent  certain  probability  distributions.  Special 
graph  papers  are  available  for  some  of  the  more  common  distributions 
which  have  the  property  that  a survival  curve  appears  on  them  as  a 
straight  line. 

It  is  known  that  certain  failure  processes  and  the  characteristics  of 
certain  items  result  in  age-reliability  relationships  that  can  be  approxi- 
mated by  specific  probability  distributions.  Much  information  on  the 
physical  processes  that  produce  this  capability  is  available  in  the  litera- 
ture, and  this  knowledge  is  the  best  guide  in  evaluating  the  adequacy 
of  a given  probability  distribution  to  represent  the  results  of  an  actuarial 
analysis.  Another  more  empirical  guide  is  the  shape  of  the  conditional- 
probability  or  probability-density  curve  that  resulted  from  the  initial 
I analysis.  If  there  is  reason  to  believe  that  the  age-reliability  characteris- 

t tics  of  an  item  do  follow  a particular  probability  distribution,  it  is  usually  SECTION  05  411 
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more  accurate  to  fit  a straight  line  through  survival  points  on  graph 
paper  that  is  unique  to  that  distribution  than  it  is  to  draw  a curve  through 
the  corresponding  points  plotted  on  cartesian  coordinates. 

Many  probability  distributions  have  been  developed  and  can  be 
used  for  reliability  analyses.  The  three  which  have  the  widest  applica- 
tion are  the  exponential  distribution,  the  normal  distribution,  and  the 
Weibull  distribution.  Exhibit  C.13  shows  the  relationship  of  the  con- 
ditional probability  of  failure,  the  probability  density  of  failure,  and  the 
probability  of  survival  for  the  exponential  distribution.  The  conditional 
probability  of  failure  associated  with  an  exponential  distribution  is 
constant  at  all  ages  — that  is,  the  probability  of  failure  is  the  same  at  any 
age  to  which  a given  unit  may  survive.  This  is  sometimes  expressed  by 
saying  that  an  item  with  exponential  characteristics  has  no  memory. 
This  conditional-probability  relationship,  described  by  curve  E in 
Exhibit  2.13,  is  characteristic  of  complex  items  with  no  dominant  failure 
modes,  and  also  of  electronic  items,  particularly  at  ages  beyond  the 
infant-mortality  period. 

The  failure-density  curve  shows  that  the  incidence  of  failures  for 
items  characterized  by  an  exponential  distribution  is  highest  at  low 
ages,  starting  at  installation.  This,  of  course,  is  because  low  ages  repre- 
sent the  greatest  amount  of  unit  experience,  and  since  the  conditional 
probability  of  failure  is  constant,  the  more  units  there  are  in  an  age 
interval,  the  more  failures  there  will  be.  The  survival  curve  of  the  expo- 
nential distribution  has  a shape  similar  to  that  of  the  density  curve.  The 
exponential  distribution  is  a single-parameter  distribution.  This  param- 
eter is  the  failure  rate.  It  is  a scaling  parameter,  since  it  determines  the 
magnitude  of  the  conditional  probability  of  failure,  the  initial  value  and 
rate  of  decrease  of  the  density  curve,  and  the  rate  of  decrease  of  the 
survival  curve. 

Exhibit  C.14  shows  the  corresponding  relationships  for  the  normal 
distribution.  The  conditional  probability  of  failure  associated  with  a 
normal  distribution  is  relatively  small  at  low  ages  and  increases  mono- 
tonically  with  increasing  age.  This  distribution  is  therefore  a candidate 
for  consideration  when  an  item  exhibits  increasing  signs  of  wearout 
after  relatively  low  probabilities  of  failure  at  earlier  ages.  The  failure- 
density  curve  for  the  normal  distribution  has  a clearly  defined  maximum 
value.  This  occurs  at  the  average  age  at  failure  if  all  units  are  permitted 
to  continue  in  operation  until  they  fail.  Note  that  the  density  curve  is 
symmetrically  disposed  about  this  average  age.  This  is  an  important 
characteristic  of  a normal  distribution.  The  survival  curve  passes  through 
a probability  of  .50  at  the  average  age  at  failure  and  has  twofold  symme- 
try with  respect  to  this  probability  point. 

The  statement  that  an  item  has  a "life  of  x hours"  is  usually  based 
on  a supposition  that  it  has  age- reliability  characteristics  which  can  be 
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EXHIBIT  C‘I4  The  relationship  of  conditional  probability,  probability 
density,  and  probabil1  , of  survival  for  a normal  distribution  with  a 
mean  time  between  failures  of  2,000  hours  and  a standard  deviation 
in  failure  age  of  500  hours. 
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represented  by  a normal  distribution.  In  other  words,  such  a statement 
assumes  the  following  characteristics: 

► The  probability  of  failure  at  low  ages  is  very  small. 

► The  probability  of  failure  increases  as  operating  age  increases. 

► There  is  an  age  at  which  the  density  of  failure  has  a relatively  well- 
defined  maximum  value. 

► The  density  of  failure  at  lower  or  higher  ages  is  symmetrically 
disposed  about  the  maximum  value. 

The  normal  distribution  frequently  does  represent  the  age-reliability 
characteristics  of  simple  items  (those  subject  to  only  one  or.  a very  few 
failure  modes). 

The  normai  distribution  is  a two-parameter  distribution.  One  param- 
eter is  a location  parameter;  it  defines  the  age  at  which  the  maximum 
failure  density  occurs.  The  other  parameter  is  a scaling  parameter  and 
is  determined  by  the  degree  of  dispersion  of  the  failure  densities  about 
the  peak  value.  The  scaling  parameter  thus  establishes  the  curvature  of 
the  survival  curve,  the  magnitudes  of  the  conditional  probabilities, 
and  the  magnitude  of  the  maximum  failure  density  and  of  other  den- 
sities about  the  maximum  value. 

Exhibit  C.15  shows  the  characteristics  of  a Weibull  distribution.  In 
this  particular  example  the  conditional-probabitity  curve  resembles  that 
for  the  normal  distribution,  in  that  the  conditional  probability  of  failure 
increases  monotonically  with  age.  It  is  dissin.ilar,  however,  with  respect 
to  the  conditional  probability  at  low  ages,  which  is  shown  as  being 
relatively  high.  The  Weibull  distribution  is  a candidate  for  representing 
items  that  have  a moderately  high  probability  of  failure  at  low  ages 
and  demonstrate  monotonically  increasing  (or  decreasing)  failure  prob- 
abilities thereafter. 

This  discussion  takes  considerable  liberty  with  the  Weibull  distri- 
bution. The  Weibull  distribution  is  a very  versatile  one  with  wide  appli- 
cability. It  can  in  fact  be  used  to  represent  items  with  high  or  low 
conditional  probabilities  at  low  ages,  and  age  relationships  in  which 
the  probability  of  failure  either  increases  or  decreases  with  increasing 
age.  The  exponential  and  normal  distributions  are  both  special  cases  of 
the  Weibull  distribution. 

The  Weibull  distribution  in  Exhibit  C.15  has  a failure-density  curve 
that  is  not  too  different  from  that  for  the  normal  distribution  shown  in 
Exhibit  C.14.  There  is  an  age  at  which  the  density  function  has  a well- 
defined  maximum  value.  Unlike  the  normal  distribution,  however,  the 
densities  in  a Weibull  distribution  are  not  necessarily  symmetrically 

disposed  about  this  peak  value.  They  can  be,  but  they  usually  are  not.  section  c-5  415 


EXHIBIT  C • 15  Relations!  ip  n(  conditional  probability,  probability 
density,  and  probability  of  survival  lot  a Welbull  distribution  with 
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By  the  same  token,  the  survival  curve  for  a Weibull  distribution  does 
not  necessarily  pass  through  the  .SO  point  at  the  age  corresponding  to 
the  maximum  failure  density,  nor  does  it  have  the  symmetry  of  the 
normal  curve. 

The  Weibull  distribution  described  here  is  a three-parameter  dis- 
tribution. One  parameter  is  a location  parameter  which,  in  effect,  defines 
a negative  age  at  which  the  conditional  probability  of  failure  is  zero 
The  other  parameters  are  scaling  and  shape  parameters. 

Each  of  the  probability  distributions  enables  us  to  express  the  con- 
ditional probability  of  failure,  the  probability  density  of  failure,  and 
probability  of  survival  without  failure  as  a function  of  operating  age 
and  certain  parameters.  These  parameters  make  it  possible  to  develop  a 
large  family  of  different  relationships  for  each  type  of  probability  dis- 
tribution. In  practical  work  we  are  ordinarily  not  concerned  with  enu- 
merating the  parameters  that  apply  to  a specific  analysis  or  writing  the 
equations  that  describe  the  age-reliability  relationship.  The  purpose 
of  an  actuarial  analysis  is  to  determine  whether  the  reliability  of  the 
item  deteriorates  whh  operating  age,  and  if  it  does,  to  assess  the  desir- 
ability of  imposing  a limit  on  operating  age.  Thus  any  interest  in  prob- 
ability distributions  is  entirely  pragmatic  and  centers  on  the  possibility 
of  using  the  specialized  graph  papers  for  such  distributions  to  simplify 
the  task  of  fairing  curves  through  the  survival  data.  Experience  has 
shown  that  none  of  these  three  probability  distributions  provide  a 
satisfactory  model  for  the  results  of  turbine-engine  analysis,  and  in 
that  case  representation  still  depends  on  subjective  curve  fitting  by  the 
analyst. 


C -6  A SPECIAL  USE  OF  THE 

EXPONENTIAL  DISTRIBUTION 

Spare  units  for  each  item  are  purchased  and  kept  on  hand  to  support 

new  equipment  when  it  enters  service.  The  provisioning  is  based  on  an 

anticipated  failure  rate  for  each  item.  It  is  not  uncommon,  however,  for 

an  item  on  newly  designed  equipment  to  experience  a failure  rate  much 

higher  than  was  anticipated.  This  results  in  an  unexpected  increase  in 

the  shop  workload,  and  also  in  depletion  of  the'supply  of  serviceable 

spare  units  needed  to  support  the  equipment.  This  means  that  pieces 

of  equipment  may  have  to  be  removed  from  service  because  there  are 

no  replacement  units  of  the  unreliable  item.  A problem  of  this  kind  can 

persist  for  some  time,  since  the  process  of  pioving  that  specific  design 

changes  do  in  fact  improve  reliability  is  a slow  one.  Moreover,  not  only 

does  it  take  time  to  manufacture  additional  spare  units,  but  there  is 

also  a reluctance  to  invest  in  additional  units  of  a design  that  has  proved  ^ 

unsatisfactory.  SECTION  06  417 


Invariably  the  question  arises  as  to  whether  a limit  on  the  maxi- 
mum operating  age  of  such  an  item  is  desirable  to  alleviate  the  spare- 
unit  problem  caused  by  a high  failure  rate.  The  exponential  distribution 
can  give  useful  information  that  permits  a quick  answer  to  this  question. 
Exhibit  C.16  shows  the  probability  of  survival  of  an  item  with  exponen- 
tial reliability  characteristics,  with  the  operating  age  expressed  as  a mul- 
tiple of  the  mean  time  between  failures.  The  exponential  distribution 
represents  a constant  conditional  probability  of  failure  at  all  ages,  as 
described  by  curve  E in  Exhibit  2.13.  Obviously  an  item  whose  failure 
behavior  corresponded  to  curve  A,  C,  or  F in  this  family  of  curves  would 
have  smaller  survival  probabilities  at  all  ages  than  one  with  exponen- 
tial characteristics.  Items  with  the  characteristics  described  by  curve  B 
have  survival  probabilities  which  are  about  the  same  as  those  for  a 
class  E item  at  low  ages  and  deteriorate  at  high  ages,  lhe  relatively  few 
items  whose  conditional-probability  curves  correspond  to  curve  D have 
survival  probabilities  which  are  tually  somewhat  better  than  exponen- 
tial at  higher  ages.  For  the  p t oses  of  this  question,  however,  it  is 
reasonable  to  assume  that  the  troublesome  item  can  be  represented  by 
the  exponential  survival  curve  in  Exhibit  C.16. 

Suppose  this  item  has  a failure  rate  of  1 per  1,000  hours.  The  mean 
time  between  failures  is,  of  course,  1,000/1  = 1,000  hours.  An  age  limit  of 
1,500  hours  has  been  proposed  for  this  item.  If  we  extrapolate  values 
from  the  exponential  survival  curve,  we  find  that  at  an  age  limit  which 
represents  1.5  times  the  mean  time  between  failures,  22.3  percent  of  the 
units  can  be  expected  to  survive  to  that  limit  and  become  scheduled 
removals: 
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These  scheduled  removals  will  further  increase  the  demand  for  spare 
units,  and  hence  will  aggravate  the  present  inventory'  problem  instead 
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EXHIBIT  C • 16  A nondimensional  form  of  the  exponential  survival 
curve  that  can  be  used  to  determine  the  probability  of  Survival  to  any 
multiple  of  the  mean  time  between  failures. 

of  alleviating  it.  Any  additional  operating  life  that  can  be  realized  by 
this  22.3  percent  of  the  units  represents  a saving  over  the  number  of 
spare  units  that  would  be  needed  with  an  age  limit. 

If  there  are  major  economic  consequences  associated  with  the 
failures  — and  if  the  conditional  probability  of  failure  in  fact  increases 
rapidly  after  1,500  hours  — then  an  age  limit  may  be  desirable  to  reduce 
the  failure  rate  regardless  of  the  increase  in  the  inventory  problem.  This, 
however,  is  a solution  to  a different  problem  from  the  one  that  has  been 
posed.  There  are  many  situations  in  which  the  assumption  of  a simple 
exponential  distribution  serves  as  a useful  tool  in  helping  to  define  the 
actual  problem. 
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THIS  BIBLIOGRAPHIC  essay  has  three  main  purposes: 

► To  list  the  seminal  documents  in  statistics,  quality  control,  reliabil- 
ity theory,  information  science,  and  decision  analysis  that  preceded 
the  development  of  reliability-centered  maintenance  as  a logical 
discipline 

► To  provide  access  to  the  broader  literature  in  each  of  these  areas 
for  those  readers  who  would  like  to  explore  one  or  more  of  them 
in  greater  detail 

► To  provide  specific  access  to  the  literature  of  reliability-centered 
maintenance  and  directly  related  materials 

The  third  task  presents  a problem  not  shared  by  the  first  two.  If  one 
follows  the  obvious  path  of  searching  the  general  literature  using  such 
apparently  reasonable  terms  as  reliability,  prediction,  decision  analysis, 
etc.,  the  yield  in  retrieved  documents  is  large,  but  the  relevance  level 
is  extremely  smell.  For  instance,  there  is  a very  substantial  literature  on 
reliability  m^ueling  and  prediction  which  is  presumably  of  significant 
benefit  to  the  designers  and  manufacturers  of  complex  equipment.  Very 
little  of  this  literature  is  useful  to  one  charged  with  designing  a prior- 
to-service  maintenance  program.  The  difference  stems  in  part  from 
the  differing  needs  of  the  equipment  designer  and  the  maintenance- 
program  designer.  A reliability  model  can  be  sufficiently  close  to  reality 
to  allow  the  equipment  designer  to  analyze  the  difference  between  two 
competing  design  alternatives  without  being  sufficiently  real  to  allow 
precise  prediction  of  performance  in  the  use.'"  environment.  The  model 
may  be  useful  to  the  designer  without  providing  specific  insight  as  to 
whether  the  deterioration  which  precedes  failure  is  visible  or  not,  let 
alone  information  on  the  cost  of  obtaining  such  visibility  when  it  is 
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Similarly,  there  is  a significant  amount  of  literature  on  actuarial 
analysis  and  the  fitting  of  various  forms  of  failure  distributions  to 
empirical  data.  However,  the  role  of  actuarial  analysis  in  reliability- 
centered  maintenance  is  sharply  limited,  on  the  one  hand,  by  the  fact 
that  we  cannot  afford  to  allow  critical  failures  to  occur  in  sufficient 
numbers  to  make  actuarial  analysis  meaningful,  and  on  the  other  hand, 
by  the  fact  that  most  failures  that  are  allowable  (in  terms  of  their  conse- 
quences) are  best  dealt  with  by  replacement  at  failure.  Even  in  the 
middle  range,  where  actuarial  analysis  is  useful  — at  least  in  the  ongoing 
program,  after  sufficient  operating  history  has  built  up  — the  more 
sophisticated  approaches  involving  the  use  of  distinguished  probability 
distributions  and  fine  points  of  estimation  theory  are  frequently  mis- 
leading because  of  the  stubborn  refusal  of  real  data  to  behave  properly 
at  the  tails  of  a distribution. 

There  is  also  a fairly  substantial  literature  on  the  theory  of  main- 
tained systems,  much  of  which  is  devoted  to  the  selection  of  "optimum 
inspection  intervals."  Such  approaches  are  rarely  general  enough  to 
take  into  account  all  the  variables  that  matter,  including  such  simple 
realities  as  the  need  to  package  tasks  for  reasonable  efficiency,  contin- 
ually shifting  operating  requirements,  the  availability  of  maintenance 
facilities,  and  the  utility  of  using  opportunity  samples.  The  problem 
is  compounded  by  the  general  absence  of  ha’-d  data  in  the  prior-to- 
service  study  and  during  the  break-in  period  immediately  after  the 
equipment  enters  service,  when  the  selection  of  intervals  is  of  greatest 
concern.  Highly  sophisticated  techniques  that  begin  to  become  useful 
only  ?s  the  equipment  nears  obsolescence  are  of  limited  utility. 

As  a result,  most  of  the  works  cited  are  important  primarily  because 
they  shed  light  on  the  background  in  which  RCM  concepts  developed 
or  because  they  provide  some  insight  into  the  design  process  that  pre- 
cedes the  development  of  the  complex  equipment.  In  a few  cases  works 


that  have  tried  to  carry  the  notion  of  optimization  too  far  are  singled 
out  as  a reminder  of  some  of  the  pitfalls  that  await  the  innocent. 

The  references  cited  in  this  appendix  were  largely  derived  from  an 
exhaustive  literature  search  of  machine-readable  and  print  data  bases 
conducted  by  Martha  West  and  George  Glushenok,  who  reduced  several 
thousand  citations  to  some  500  pertinent  references.  The  search  area 
encompassed  such  obvious  general  fields  as  engineering,  electronics, 
operations  research/management  science,  information  and  computer 
science,  logistics,  and  statistics.  In  addition,  certain  selected  publica- 
tions, such  as  the  Proceedings  of  the  Annual  Reliability  and  Maintainability 
Symposia,  were  searched  cover  to  cover.  F.  S.  Nowlan  and  C.  S.  Smith 
provided  key  documents  from  the  aircraft/airline  internal  literature  and 
the  Department  of  Defense,  as  well  as  a number  of  useful  comments  on 
what  to  look  for  and  what  to  ignore. 


D • I HISTORICAL  DEVELOPMENT 
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The  historical  development  of  the  study  of  reliability  and  maintenance 
can  be  broken  into  three  main  periods,  albeit  with  a fair  degree  of  over- 
lap. In  the  20  years  preceding  World  War  II  there  were  several  develop- 
ments that  laid  the  necessary  base  both  in  theory  and  in  application.  In 
the  1920s  R.  A.  Fisher  (1922)  developed  the  essential  structure  of  small- 
sample  statistics  and  laid  the  basis  for  modem  theories  of  estimation 
and  the  design  of  experiments.  Neyman  and  Pearson  (1928)  laid  the 
foundations  for  modem  decision  theory.  Dodge  and  Romig  produced 
the  first  sampling  plans,  which  were  published  in  book  form  later  (1944), 
Fry  (1928)  and  others  showed  how  probabilistic  analysis  could  be  ap- 
plied to  the  design  of  modem  equipment,  and  Shewhart  (1931)  invented 
quality-control  charts. 

In  the  1930s,  even  though  industrial  production  v/as  low  because  of 
the  Depression,  many  of  these  techniques  were  tested  in  application, 
particularly  in  the  telephone  industry  in  this  country  and  the  chemical 
industry  in  Great  Britain.  Kolmogorov  (1933)  provided  the  first  com- 
plete axiomatic  description  of  probability  theory,  and  work  was  begun 
on  the  problem  of  providing  rigorous  structure  to  the  ideas  that  Fisher 
had  pioneered. 

The  enormous  expansion  of  industrial  production  in  this  country 
after  December  1941  provided  the  opportunity  and  the  need  to  imple- 
ment modem  quality-control  techniques  through  the  defense  industry. 
The  Statistical  Techniques  Group  at  Columbia  University  solidified 
the  earlier  work  at  Bell  Laboratories  in  sampling  plans,  provided  the 
first  tables  for  e?  :imating  tolerance  limits  for  design,  and  produced  the 
first  materials  on  decision  theory.  Most  of  this  work  became  available 
in  monographs  published  shortly  after  the  war.  F„  L.  Grant  (1946)  wrote 


a primer  on  statistical  quality  control,  Abraham  Wald  (1947,  1950)  pro- 
vided two  key  texts  on  decision  theory,  and  Eisenhart  et  al.  (1947) 
summarized  other  statistical  developments  derived  at  Columbia. 

The  second  period  of  development,  which  had  its  roots  in  World 
War  II  and  in  the  theoretical  developments  in  probability  theory  prior 
to  that  time,  properly  begins  after  the  war.  One  stimulus  was  the  pub- 
lication by  Altman  and  Goor  (1946)  of  an  application  of  actuarial 
methods  to  engine  failures  on  the  B-29;  another  was  the  extensive  con- 
version of  surplus  wartime  equipment,  particularly  to  civil  aviation. 

For  the  next  20  years  the  increasing  use  of  complex  equipment,  first 
with  aircraft  and  later  with  missiles,  led  to  increasingly  sophisticated 
designs  and  manufacturing  practices  involving  the  use  of  redundancy 
to  reduce  the  consequences  of  failure  and  bum-in  to  reduce  the  inci- 
dence of  infant  mortality.  Empirical  studies  of  Davis  (1950),  Weibull 
(1951),  Epstein  (1953),  and  others  provided  the  base  on  which  to  make 
increasingly  sophisticated  estimates  of  expected  reliability. 

In  the  later  stages  of  these  developments  design  attention  turned 
to  problems  of  maintainability  — the  concept  of  making  it  easier  to 
detect  failures  (or  potential  failures)  and  to  replace  failed  components 
at  reasonable  costs.  As  with  the  quality-control  era,  maturity  is  marked 
by  the  publication  of  a spate  of  books.  Zelen  (1963)  edited  the  pro- 
ceedings of  a conference  in  Madison,  Wisconsin,  that  covered  a number 
of  areas  of  interest.  Goldman  and  Slattery  (1964)  wrote  the  first  text 
explicitly  devoted  to  the  maintainability  problem.  Pieruschka  (1963) 
summarized  much  of  the  associated  statistical  material.  Barlow  and 
Proschan  (1965)  gathered  together  the  mathematics  of  reliability  theory, 
and  Jorgenson,  McCall,  and  Radnor  (1967)  considered  the  problem  of 
finding  optimal  maintenance  policies. 

The  thread  begun  by  Neyman  and  Pearson  and  followed  so  beau- 
tifully by  Wald  was  also  continued  by  Von  Neumann  and  Morgenstem 
(1944)  in  their  classic  text  on  the  theory  of  games.  This  work  was  in  turn 
integrated  into  modern  decision  theory  by  Blackwell  and  Girshick 
(1954)  and  extended  toward  what  we  now  call  decision  analysis  by  the 
French  school,  as  reported  in  Masse  (1962). 

The  third  era,  beginning  in  1960  with  the  work  ai  United  Airlines, 
saw  yet  a new  focus  on  the  problem.  Whereas  the  applications  of  the 
1930s  had  concentrated  on  the  problems  of  producing  and  acquiring 
appropriate  quality,  and  the  works  that  followed  we'e  concerned  with 
reliability  (the  quality  experienced  over  time  in  use)  and  its  implica- 
tions for  design,  attention  now  turned  to  the  acquisition  of  appropriate 
information  — frequently  in  a context  in  which  it  was  easier  to  get  too 
much,  rather  than  too  little. 

While  Nowlan,  Matteson,  and  others  at  United  Airlines  were  care- 
fully studying  the  age-reliability  characteristics  of  complex  equip- 
ment to  determine  precisely  what  good,  if  any,  preventive  maintenance  SECTION  D-l  423 
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could  do,  Magee  (1964a,  1964b)  was  exploring  the  possibilities  of  dec - 
sion  diagrams  based  on  an  evaluation  of  the  consequences  of  decisions. 
In  the  statistical  area,  Tukey  (1960)  pointed  out  the  distinctions  be- 
tween actions  and  conclusions  and  thereby  laid  the  framework  for 
modern  data  analysis.  And  on  yet  another  front,  information  science 
began  to  evolve  out  of  bibliometrics  and  information-retrieval  studies. 

Now,  in  turn,  the  monograph  literature  is  ready  to  catch  up  with 
the  developments  already  published  in  proceedings  and  journals.  The 
National  Academy  of  Sciences  (National  Research  Council,  1976)  has 
already  published  an  extensive  report  on  setting  statistical  priorities 
which  shows  the  interrelationship  between  information  science  and 
statistics  and  pays  particular  attention  to  the  problems  of  establishing 
the  utility  of  data  in  contexts  where  there  may  be  far  too  much  for  easy 
assimilation.  Raiffa  (1968),  Schlaifer  (1969),  and  others  have  routinized 
decision  analysis  to  the  point  where  it  is  being  applied  in  an  increasing 
number  of  areas. 

The  present  text  on  reliability-centered  maintenance  carries  the 
development  one  step  further.  By  reversing  the  order  of  the  questions 
on  decision  diagiams,  so  that  consequences  are  evaluated  first  instead 
of  last,  and  in  gross  rather  than  fine  terms,  Nowlan  and  Heap  have 
shortened  the  path  between  decision  making  and  data  gathering  in  an 
important  way.  Their  emphasis  on  the  use  of  the  decision  diagram  as 
an  audit  trail  which  links  decision  making  to  results  is  strongly  remi- 
niscent of  Shewhart's  (1931)  reasoning  in  establishing  quality-control 
charts  and  Demos'  (1955)  integration  of  such  charts  into  a quality- 
control  system.  Finally,  their  integration  of  data  in  the  ongoing  process 
goes  a long  way  toward  formalizing  the  process  of  modifying  decisions 
as  hard  information  develops.  As  such,  it  bears  a mild  resemblance  to 
the  work  of  George  Box  (1957)  on  evolutionary  operation,  although  the 
latter  presupposed  the  opportunity  to  modify  the  variables  in  an  ongoing 
process  for  gradual  improvement  of  performance,  whereas  the  reevalu- 
ation in  this  case  is  consequence-centered  and  connected  only  through 
that  mechanism  to  performance. 


D • 2 RELIABILITY  THEORY  AND  ANALYSIS 

In  their  excellent  summary  of  the  historical  background  of  the  mathe- 
matical theory  of  reliability,  Barlow  and  Proschan  (1965)  begin  with  the 
pioneering  work  of  Khintchine  (1932),  Weibull  (1939),  Palm  (1943),  and 
others  in  the  1930s  and  1940s.  In  this  work  it  seems  natural  to  start  with 
the  key  paper  by  Altman  end  Goor  (1946)  cn  the  reliability  of  engines 
used  in  the  B-29  aircraft  in  World  War  Ii).  Altman  and  Goor  used  ac- 
tuarial methods  of  the  life  insurance  industry  and  provided  a detailed 
424  APPENDICES  example  to  illustrate  this  usage.  Their  primary  interest  was  in  the  supply 


problem,  which  required  an  estimate  of  the  proportion  of  the  engines 
that  would  fail  prior  to  their  hard-time  removal.  Since  they  assumed 
that  there  was  an  appropriate  time  to  remove  an  engine  from  the  air- 
craft, the  only  problem  from  their  point  of  view  was  determining  the 
conditional  probability  of  failure  prior  to  this  removal  time.  In  addi- 
tion to  the  actuarial  analysis,  they  also  noted  that  the  frequency  of 
engine  failures  plotted  as  a log  function  of  total  flying  time  was  approx- 
imately a straight  line,  which  has  implications  for  the  underlying  failure 
distribution.  Altman  and  Goor  also  compared  the  results  for  new  engines 
with  those  that  had  been  removed,  overhauled,  and  returned  to  the 
field  and  noted  that  the  overhauled  engines  had  a significantly  shorter 
average  life.  There  was  no  hint  in  their  work,  however,  that  this 
should  be  used  as  a basis  for  extending  the  overhaul  interval. 

In  1950  D.  J.  Davis  produced  a report  for  the  Rand  Corporation 
which  was  later  published  in  modified  form  in  the  Journal  of  the 
American  Statistical  Association  (Davis,  1952).  He  considered  both  the 
normal  failure  law  and  the  exponential  failure  law  and  showed  that 
failures  for  a number  of  types  of  equipment,  particularly  electronic 
components  and  other  complex  items,  were  better  approximated  by  the 
exponential  failure  distribution.  Davis  also  inquired  into  the  nature  of 
the  failure  mechanism  as  a means  for  understanding  the  appropriate- 
ness of  the  failure  distribution  and  discussed  (briefly)  the  problem  of 
finding  optimal  replacement  policies. 

A number  of  other  papers  appeared  about  the  same  time,  notably 
that  by  Weibull  (1951)  on  the  distribution  that  now  bears  his  name  and 
that  by  Epstein  and  Sabel  (1953)  on  the  utility  of  the  exponential  distri- 
bution, particularly  in  the  treatment  of  electronic  equipment.  The  1950s 
also  saw  the  beginnings  of  reliability  study  as  a formal  discipline,  as 
marked  by  a meeting  in  New  York  City  in  1952  on  applications  of 
reliability  theory. 

Other  theoretical  developments  during  this  period  included  the 
work  of  Moore  and  Shannon  (1956)  on  the  theoretical  determination  of 
reliability  in  networks  and  a theoretical  justification  by  Drenick  (1960) 
of  the  use  of  the  exponential  distribution  for  complex  equipment  with 
no  dominant  failure  modes.  By  this  time  the  empirical  and  theoretical 
developments  in  reliability  had  led  to  an  increased  interest  in  main- 
tainability. This  term  has  been  used  in  several  ways,  but  here  it  refers 
to  those  aspects  of  design  provided  to  facilitate  mainter  nee  by  making 
parts  that  are  likely  to  fail  easy  to  replace  and/or  easy  to  inspect.  Much 
of  the  design  development  in  the  1950s,  particularly  that  associated 
with  development  of  intercontinental  ballistic  missiles,  had  to  do  with 
improved  reliability  through  design,  including  the  use  of  redundant 
parts  and  the  bum-in  of  parts  with  high  rates  of  infant  mortality.  The 
latter  was  investigated  by  ARINC  (Aeronautical  Radio, 1958)  with  respect 
to  electron  tubes. 
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Barlow  and  Scheuer  (1971)  consider  some  of  the  problems  of  esti- 
mation from  accelerated  life  tests.  Included  is  a useful  bibliography  by 
Winter  et  al.  (1964)  of  20  papers  in  this  area.  Ladany  and  Aharoni  (1975) 
discuss  maintenance  policy  of  aircraft  according  to  multiple  criteria. 
This  paper  is  worthy  of  note  primarily  because  it  is  a recent  work  that 
does  not  appear  to  make  use  of  the  developments  that  occurred  between 
1963  and  1975.  As  a result,  the  writers  are  not  convinced  of  the  utility 
of  exponential  distributions  in  reliability  analysis  and  take  a somewhat 
peculiar  view  of  the  field  with  regard  to  optimum  checking  procedures, 
given  an  exponential  distribution.  Miller  and  Singpurwalla  together 
and  singly  produced  a series  of  three  papers  on  the  theoretical  aspects  of 
maintained  systems  (Miller,  1975,  1976;  Miller  and  Singpurwalla,  1977). 

Yet  another  aspect  of  the  theoretical  problem  is  the  problem  of  com- 
puting the  reliability  of  complex  networks.  This  derives  from  the  diffi- 
culty of  determining  how  a piece  of  complex  equipment  will  in  fact 
perform,  given  the  reliability  of  its  several  components  and  the  mathe- 
matical form  ot  tl"-!.»  interaction.  Rosenthal  (1977)  summarizes  this 
problem  meek  amt  includes  useful  references. 

There  is  a f-i-iy  standard  set  of  literature  on  the  estimation  prob- 
lems involved  in  actuarial  analysis,  and  while  fine  estimation  is  not 
usually  necessary,  a paper  by  Rice  and  Rosenblatt  (1976)  covers  the  area 
well  for  these  who  wish  to  make  use  of  it.  The  actuarial  techniques  for 
studying  the  utility  of  overhaul  poiicies  were  well  laid  out  by  Altman 
and  Goor  (1946)  and  are  illustrated  by  Matteson  (1966)  with  two  differ- 
ent smoothing  techniques.  Another  smoothing  technique  is  suggested 
by  Barlow  and  Campo  (1975).  Their  proposal  is  identical  to  the  method 
recommended  in  this  text  (Appendix  C),  except  that  each  scale  is 
divided  by  its  maximum  value  and  the  inverse  function  is  plotted,  so 
that  increasing  failure  rates  plot  as  concave  rather  than  convex  curves. 
The  utility  of  plotting  both  axes  on  (0,1)  is  that  it  simplifies  the  compari- 
son to  standard  failure  laws  (such  as  Weibull)  through  the  use  of  overlays. 
The  reciprocal  of  the  slope  is  proportional  to  (rather  than  equal  to)  the 
conditional  probability  of  failure.  With  appropriate  assumptions,  the 
TTT  plot,  as  it  is  called  by  Barlow  and  Campo,  can  also  be  used  to  find 
the  optimal  overhaul  interval  by  graphical  means,  as  is  shown  by 
Bergman  (1977).  Bergman  also  calls  attention  to  an  earlier  work  (Berg- 
man, 1976)  and  to  Ingram  and  Scheaffer  (1976).  For  a more  general  dis- 
cussion of  smoothing  methods  and  their  advantages  and  disadvantages, 
see  Tukey  (1977),  particularly  chap.  7. 

Other  useful  papers  in  the  theoretical  area  include  a summary  of 
current  academic  research  by  Barlow  and  Proschan  (1976F),  a discussion 
of  Bayesian  zero-failure  reliability-demonstration  testing  procedure 
by  Waller  and  Martz  (1977),  and  papers  by  Martz  and  Lian  (1977)  and 
Martz  and  Waterman  (1977)  on  other  aspects  of  this  problem.  Martz, 
Campbell,  and  Davis  (1977)  consider  the  use  of  the  Kalman  filter  in 
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estimating  and  forecasting  failure-rate  processes  and  provide  an  inter- 
esting and  useful  bibliography  of  work  in  this  general  area,  including 
some  27  papers. 

As  a final  note  on  reliability  theory,  a paper  by  D.  C.  Bridges  (1974) 
on  the  application  of  reliability  to  the  design  of  ship's  machinery  offers 
a concise  discussion  of  this  field  as  of  1974.  In  addition  to  a brief  sum- 
mary of  reliability  theory  and  techniques  generally  associated,  there  is 
an  almost  passing  mention  of  data  collection  and  failure  modes  and 
effects  analysis.  The  paper  concludes  with  a discussion  by  several  other 
participants  in  the  forum  and  a reply  by  the  writer,  and  these  comments 
help  to  point  out  the  essence  of  the  problem  as  it  relates  to  design. 
Unfortunately  this  paper  does  not  go  the  next  s*ep  and  consider  the 
problems  of  reliability-centered  maintenance  from  the  user's  point  of 
view. 


D • 3 INFORMATION  SCIENCE  AND 
DECISION  ANALYSIS 

The  fields  of  information  science  and  decision  analysis,  with  their  sub- 
stantial overlap,  are  well  covered  in  an  excellent  bibliography  by  Law- 
rence (1976),  titled  The  Value  of  Information  in  Decision  Making.  The 
bibliography  is  an  appendix  to  a National  Academy  of  Sciences  report 
on  setting  statistical  priorities  and  covers  184  items  in  a field  Lawrence 
defines  as  information  science.  It  is  broken  down  into  several  sections: 
comparing  information  structures;  user  needs  and  parameters  of 
information-seeking  and  valuation  behavior;  managing  information 
systems;  decision  making  under  uncertainty,  the  expected  value  of  in- 
formation; the  economics  of  lack  of  perfect  information;  information 
and  governmental  policy;  quantitative  economic  policy;  the  value  of 
economic  forecasts;  does  the  market  overprovide  or  underprovide  for 
knowledge  production;  information  theory,  including  statistics;  and 
applications  to  economics  and  psychology.  A good  many  of  the  papers 
cited  are  addressed  to  questions  of  how  information  affects  policy. 

While  the  emphasis  is  on  application  to  governmental  problems,  the 
papers  in  general  are  much  broader.  There  is  a heavy  emphasis  on 
information  in  economic  structures,  and  hence  on  the  attempt  to  relate 
information  to  costs  of  decisions. 

There  are  several  papers  on  the  information  problem  in  mainte- 
nance that  are  worthy  of  note.  Hadden  and  Sepmeyer  (1956)  gave  a 
relatively  short  paper  on  the  methodology  'or  reliable  failure  reporting 
from  maintenance  personnel  which  raised  some  useful  questions  on 
consideration  of  the  human  factor.  Shapero,  Cooper,  Rappaport,  and 
Schaffer  (1960)  considered  the  problem  of  data  collection  in  weapon 
systems  test  programs.  Bell  (1  '65)  gave  a talk  on  information  needs  for 
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ference  that  is  worth  reading  During  the  same  period  th?re  were  several 
studies  of  the  data  problem  in  the  military,  including  one  by  Cohen, 
Hixon,  and  Marks  (1966)  on  maintenance-data  collection  and  the  Air 
Force  base-maintenance  management  system.  More  recently  Dudley, 
Chow,  Van  Vleck,  and  Pooch  (1977)  have  discussed  how  to  get  more 
mileage  out  of  data. 

The  formal  term  decision  theory  today  usually  refers  to  the  work 
originally  done  by  Abraham  Wald  (1947)  in  the  late  1930s  and  early 
1940s,  in  which  he  formulated  the  sequential  decision  problem  as  a 
special  case  of  sampling  theory.  A considerable  volume  of  literature 
derives  from  Wald's  work. 

The  next  stage  historically  is  the  development  of  the  theory  of 
games,  and  the  classic  work  on  this  is  Von  Neumann  and  Morgenstem 
(1944).  The  first  detailed  application  of  this  theory  to  business  decisions 
appears  to  be  the  work  reported  by  Masse  (1962).  Shortly  thereafter 
Magee  brought  this  concept  to  the  attention  of  a broader  community 
through  the  publication  of  two  articles  in  the  Harvard  Business  Revieiu 
(Magee,  1964a,  1964b).  A good  deal  of  the  literature  following  Magee  has 
to  do  with  investment  decision  making,  and  the  basic  thrust  of  the  use 
of  a decision  tree  for  such  purposes  is  that  the  tree  is  laid  out  first  in 
terms  of  the  available  decisions  and  next  in  terms  of  the  various  possi- 
ble actions,  including  those  not  under  the  control  of  the  decision  maker. 
Where  it  is  reasonable  to  postulate  a probability  distribution  for  the 
actions  not  under  the  control  of  the  decision  maker,  this  can  be  done; 
the  form  of  the  tree  then  provides  outcomes  at  each  terminal  in  such  a 
way  that  their  expected  dollar  values  can  be  computed,  given  the  appro- 
priate information. 

There  is  a fairly  large  literature  showing  applications  of  this  ap- 
proach, of  which  the  following  is  but  a sampling  to  indicate  the  breadth 
of  the  activity:  Flinn  and  Turban  (1970)  on  decision-tree  analysis  for  in- 
dustrial research;  Berger  and  Gerstenfeld  (1971)  on  decision  analysis 
for  increased  highway  safety;  Chinn  and  Cuddy  (1971)  on  project 
decision  and  control;  Gear,  Gillespi,  and  Allen  (1972)  on  the  evaluation 
of  applied  research  projects;  Swager  (1972)  on  relevance  trees  for  iden- 
tifying policy  options;  Berger  (1972)  on  implementing  decision  analysis 
on  digital  computers;  Feldman,  Klein,  and  Honigfel  (1972)  on  decision 
trees  for  psychiatric  diagnosis;  Whitehouse  (1974)  on  decision  flow  net- 
works; Rubel  (1975)  on  logic  trees  for  reactor  safety;  and  Wheelwright 
(1975)  on  decision  theory  for  corporate  management  of  currency- 
exchange  risks. 

There  are  three  standard  texts  in  this  area  that  should  be  noted: 
Schlaifer  (1969),  Raiffa  (1968),  and  Keeney  and  Raiffa  (1976).  Schlaifer's 
book  is  a nonmathematical  text  for  business  students  which  goes  into 
the  details  of  the  decision  problem  extensively  with  a number  of  prob- 
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lems  and  references  to  standard  Harvard  case  studies.  Raiffa's  treatment 
is  more  sophisticated.  Chapter  9,  The  Art  of  Implementation,  and  A 
General  Critique,  provides  a nice  summary  of  the  presentation  which 
goes  beyond  the  step  procedures  and  begins  to  evaluate  how  the 
process  is  actually  used  in  real  problems,  including  messy  real  prob- 
lems. Chapter  10  also  provides  a concise  history  of  the  subject,  together 
with  useful  observations  about  the  interrelationship  of  statistics,  infor- 
mation theory,  and  decision  theory.  In  a very  brief  bibliography  at  the 
end  of  the  book  Raiffa  calls  attention  to  Fellner  (1965),  which  includes 
an  excellent  annotated  bibliography  on  52  well-chosen  texts. 

In  the  preface  to  his  book  Raiffa  (1968)  lists  the  following  steps  for 
analysis  of  a decision  problem  under  uncertainty: 

► List  the  viable  options  available  to  you  for  gathering  information, 
for  experimentation,  and  for  action, 

► List  the  events  that  may  possibly  occur. 

► Arrange  in  chronological  order  the  information  you  may  acquire 
and  the  choices  you  may  make  as  time  goes  on. 

► Decide  how  well  you  like  the  consequences  that  result  from  the 
various  courses  of  action  open  to  you. 

► Judge  what  the  chances  are  that  any  particular  uncertain  event  will 
occur. 

It  is  interesting  to  compare  this  list  of  priorities  with  those  on  which 
RCM  decision  analysis  is  based: 

► Framing  the  questions  to  determine  the  consequences  of  failure 
in  such  a way  as  to  define  the  information  required  to  make  the 
decision 

► Framing  the  questions  to  select  those  maintenance  tasks  which  are 
both  applicable  and  effective 

► Specifying  the  default  action  to  be  taken  when  information  is 
lacking 

► Extending  the  approach  to  the  determination  of  when  to  make 
economic-tradeoff  studies  for  cases  that  are  both  important  and  too 
close  to  call 

► Providing  for  the  subsequent  action  to  be  taken  when  in-service 
information  begins  to  accumulate 

The  first  application  of  the  decision  diagram  to  aircraft  mainte- 
nance problems  was  developed  by  F.  S.  Nowlan  (1965)  at  United  Air- 
lines. This  internal  document  noted  the  importance  of  the  mechanism  of  SECTION  D-3  429 


failure,  the  need  for  information  about  inherent  reliability  character- 
istics, and  the  conditions  necessary  for  scheduled  overhaul  to  be  effec- 
tive, The  simple  decision  diagram  presented  was  not  unlike  the  top 
portion  of  the  RCM  decision  diagram  described  in  this  text,  in  which 
the  fundamental  questions  have  to  do  with  (1)  the  evidence  of  failure 
and  (2)  the  consequences  of  tailure.  A condensed  version  of  this  report 
was  also  included  in  a paper  presented  at  an  FAA  maintenance  sympo- 
sium in  November  1965  (Taylor  and  Nowlan,  1965). 

These  concepts  were  expanded  on  in  a later  paper  by  Matteson 
and  Nowlan  (1967),  and  the  decision  diagram  presented  in  this  work 
was  the  basis  for  MSG-1,  Handbook:  Maintenance  Evaluation  and  Program 
Development  (747  Maintenance  Steering  Group,  1968).  This  document 
led  to  further  improvements,  published  as  MSG-2,  Airline/Manufacturer 
Maintenance  Program  Planning  Document  (Air  Transport  Association, 
1970).  These  developments  were  also  reported  on  by  Dougherty  (1970), 
Matteson  (1972 b),  and  Nowlan  (1972).  A European  version  of  MSG-2, 
European  Maintenance  Systems  Guide  (A-300  B Maintenance  Steering 
Commiitee,  1972),  appeared  only  a few  years  later. 


D -4  MAINTENANCE  THEORY  AND  PHILOSOPHY 

Design  developments  in  the  aircraft  industry  from  1930  to  1960  greatly 
improved  operating  safety  and  resulted  in  more  maintainable  equip- 
ment. However,  these  two  objectives  also  had  the  combined  effect  of 
significantly  increasing  the  complexity  of  equipment  and  reducing 
the  utility  of  hard-time  limits.  In  a review  paper  published  in  1968, 
W.  C.  Mentzer  observed  that  United  Airlines  began  work  under  his 
direction  in  1960  on  two  basic  questions:  "Do  we  understand  the  funda- 
mental principles  which  underlie  the  way  we  maintain  our  aircraft?" 
and  "Do  we  really  know  why  we  do  what  we  do?".  The  incentive  for  a 
thorough  investigation  into  these  questions  was  provided  by  the  very 
simple  fact  that  maintenance  of  aircraft  for  typical  airlines  in  the  United 
States  at  that  time  represented  approximately  30  percent  of  total  direct 
and  indirect  operating  costs.  The  general  history  of  this  development  is 
well  summarized  in  Appendix  B of  this  book. 

John  F.  McDonald  (1963)  presented  a detailed  and  highly  readable 
paper  titled  Reliability,  a Random  Discussion,  in  which  he  takes  a 
closer  look  at  the  overall  problem  of  reliability,  the  difficulties  of  pre- 
dicting performance  in  the  field  prior  to  actual  experience,  and  the 
utility  of  hard-time  limits  in  actual  operation.  As  a vehicle  for  carrying 
his  general  discussion,  he  repeatedly  cites  quotations  from  Oliver  Wen- 
dell Holmes'  famous  poem  The  Deacon's  Masterpiece,  or  The  Wonderful 
" One-Hoss  Shay."  A Log. cal  Story,  including  the  key  line  that  states  "A 
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chaise  breaks  down,  but  doesn't  wear  out."  The  suggestion  that  Oliver 
Wendell  Holmes  is  the  true  father  of  modem  maintenance  theory  would 
perhaps  not  be  well  met  in  all  circles,  but  the  observation  that  “things 
break  down  but  do  not  wear  out"  is,  of  course,  one  of  the  keys  to  the 
understanding  of  the  maintenance  process  for  complex  items.  J.  ],  Eden 
(1963),  in  a paper  titled  Engine  Overhaul  Life,  An  Outdated  Concept, 
makes  the  point  quite  clearly  from  his  experience  with  ’ifansCanada. 

The  inherent  difficulties  in  predicting  reliability  first  suggested  by 
McDonald  were  reiterated  in  two  papers  presented  at  the  1965  Meeting 
on  Reliability  and  Maintainability  in  Los  Angeles,  The  titles  are  enough 
to  indicate  the  difficulty:  Finocchi  (1965)  wrote  that  Reliability  Has 
Failed  to  Meet  Its  Goals,  and  Grose  (1965)  titled  his  paper  Reliability  Can 
Be  Predicted?  (A  Negative  Position).  Matteson  (1966)  provided  addi- 
tional insight  into  the  use  of  reliability  analysis  of  in-service  equipment 
as  a guide  for  reducing  maintenance  cost  and  spare-parts  requirements. 

Ashendorf  (1967)  added  further  ideas  in  this  direction  by  noting  the 
"pitfalls  in  reliability  predictions."  In  all  these  works,  from  McDonald 
to  Ashendorf,  one  senses  the  growing  recognition  that  maintenance 
must  be  able  to  cope  with  performance  that  falls  short  of  design  pre- 
diction. This  implies  the  need  to  redesign  and/oi  change  mission 
requirements  to  allow  the  user  to  get  the  maximum  performance  from 
the  equipment.  Maintenance  in  turn  must  then  be  done  in  a context 
which  allows  redesign  as  a possibility  and  also  is  prepared  for  sur- 
prise, particularly  in  the  early  years  of  use  of  the  equipment.  These 
observations  imply  important  economic  consequences  that  must  be 
planned  for  in  preparation  for  the  use  and  maintenance  of  the  equip- 
ment. 

For  many  years  primary  maintenance  consisted  of  hard-time  in- 
spection and  overhaul  tasks.  This  concept  underwent  rapid  reevalua- 
tion in  the  early  1960s,  as  pointed  out  by  K.  E.  Neland  (1966)  in  a paper 
presented  at  the  Maintenance  Symposium  on  Continued  Reliability  of 
Transport-type  Aircraft  Structure  in  Washington,  D.C.  Neland,  then  chief 
of  the  air-carrier  maintenance  branch  of  the  Federal  Aviation  Agency, 
presented  a brief  history  of  developments  of  maintenance  policies  and 
procedures  from  tne  FAA  point  of  view.  In  the  first  phase,  he  noted, 
most  aircraft  prior  to  World  War  II  were  subject  to  the  one-step  overhaul 
process.  As  a result  of  the  rapid  integration  of  surplus  aircraft  into 
commercial  fleets  after  World  War  II,  the  late  1940s  and  1950s  were 
dominated  by  a set  of  phase  inspections  which  provided  the  FAA, 
among  others,  with  much  more  detailed  information  about  the  rate  of 
deterioration  of  performance  and  safety  features  over  a period  of  time. 
This  history  of  deterioration  allowed  the  FAA  to  take  a much  kinder 
view  toward  the  philosophy  of  on-condition  inspection,  which  became 
increasingly  important  after  1960. 
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In  June  of  1967  Matteson  and  Nowlan  (1967)  presented  a paper  titled 
Current  Trends  in  Airline  Maintenance  Programs  at  the  AIAA  Commer- 
cial Aircraft  Design  and  Operations  Meeting  m Los  Angeles.  In  this 
paper  they  gave  a generalized  definite  of  a failure  and  discussed  the 
mechanism  by  which  failures  occur  y then  went  on  to  develop  a 
decision  diagram  to  facilitate  logica'  analysis  of  the  decisions  required 
during  development  of  a scheduled-maintenance  program.  This  discus- 
sion was  essentially  an  update  of  Nowlan's  earlier  paper,  and  the  de- 
cision diagram  was  considerably  more  detailed.  It  is  this  more  detailed 
decision  diagram  that  provided  the  basis  a year  later  for  MSG-1,  a work- 
ing paper  prepared  by  the  Maintenance  Steering  Group  for  the  Boeing 
747  (1968).  This  document  was  approved  by  the  747  interairline  main 
tainability  conference  on  July  10,  1968. 

The  Boeing  747  was  the  first  turbine-powered  wide- body  aircraft  to 
en.er  commercial  aviation.  The  preparation  of  a maintenance  program 
prnr  to  sendee  involved  even  greater  concern  about  safety,  given  the 
large  number  of  passengers  'his  aircraft  would  be  carrying.  This  exer- 
cise was  the  first  application  of  the  concept  of  reliability-centered  main- 
tenance. While  the  procedure  is  now  somewhat  better  understood,  the 
basic  questions  that  had  to  be  faced  are  the  same  today  as  they  were  a 
decade  ago. 

The  work  that  led  to  the  development  of  MSG-1  was  not  lost  on  the 
manufacturers  of  aircraft  or  on  the  FA  A.  Several  papers  appearing  at 
about  the  same  time  made  it  quite  clear  that  the  relationship  between 
the  manufacturer's  responsibility  for  maintainability  and  the  user's 
responsibility  for  maintenance  were  closely  interrelated.  R.  B.  Mac- 
Gregor (1968)  spoke  to  this  question  directly  at  the  Los  Angeles  Main- 
tainability Association  in  September  1968.  Matteson  (1969)  discussed 
in-service  safety  and  reliability  and  the  role  of  maintenance  at  some 
length.  Nowlan  (1969)  reviewed  the  on-condition  philosophies  from  a 
planning  and  operational  viewpoint.  Matteson  (1969h)  discussed  the 
condition-monitoring  path  on  the  Boeing  747,  and  Adams  (1969)  pro- 
vided further  insight  into  the  concept  of  increased  safety  through  the 
new  maintenance  concepts.  These  developments  all  had  some  influence 
on  the  creation  of  the  Airline/ Manufacturer  Maintenance  Program  Plan- 
ning Document,  MSG-2  (Ail  Transport  Association, 1970).  This  document, 
which  was  prepared  as  the  starting  point  for  the  wide  body  Douglas 
DC- 10  and  the  Lockheed  L-1011,  represented  a refinement  of  the  MSG-1 
procedures  developed  for  the  747. 

Also  in  1970  the  ATA  Reliability  and  Maintainability  Subcommittee, 
consisting  of  half  a dozen  members  from  as  many  airlines,  presented  a 
talk  on  reliability  and  maintainability  from  an  airline  standpoint 
(Roberson,  1970),  At  about  the  same  time  J.  E.  Dougherty,  Jr.  (1970) 
reviewed  the  development  of  the  initial  maintenance  program  for  the 
Boeing  747  from  the  viewpoint  of  the  Department  of  Transportation. 


Other  papers  followed  in  order  over  the  next  year  or  two.  Those  which 
are  of  general  interest  include  Schonewise  (1971),  Heap  and  Cockshott 
(1973),  Matteson  (1971a,  1971b,  1972b),  Mellon  (1972),  and  Nowlan  (1972, 

1973) . 

At  this  lime  also  several  writers  began  to  look  more  closely  at  the 
relationship  between  nondestructive  testing  and  full-scale  testing  as 
potential  information  generators  for  maintenance  decisions.  See,  for 
instance,  Matteson  (1972a)  and  Stone  (1973),  and  Dougherty  (1974), 
who  reviewed  FAA  activities  over  the  preceding  15  years  and  made 
some  suggestions  as  to  where  this  activity  was  likely  to  go  in  the 
future. 

The  development  of  practicing  maintenance  was  very  nicely  sum- 
marized by  John  F.  McDonald  (1972)  in  a paper  presented  to  the  Seventh 
Annual  Convention  of  the  Society  of  Logistics  Engineers  in  August  1972. 
This  paper,  in  addition  to  summarizing  the  history  for  commercial  air- 
lines, draws  interesting  comparisons  between  what  is  done  in  the  air- 
lines and  what  is  feasible  in  the  military,  with  some  strong  suggestions 
as  to  the  utility  of  the  techniques. 

The  obvious  success  of  the  principles  embodied  in  Boeing  747  and 
Doublas  DC-10  maintenance  programs  was  noted  by  the  Department  of 
Defense,  which,  of  course,  has  a substantial  maintenance  problem.  A 
review  of  the  McDonnell  F4J,  an  aircraft  already  in  service,  was  done  by 
United  Airlines  (1974,  1975,  1977).  Bell  Helicopter  Company  published 
a report  on  flight-contrcl-system  reliability  and  maintainability  inves- 
tigations for  the  Army  (Zipperer,  1975).  The  National  Security  Indus- 
trial Association  (1975)  issued  an  ad  hoc  study  on  the  impact  of  commer- 
cial-aircraft maintenance  and  logistic-support  concepts  on  the  flight- 
cycle  cost  of  air  ASW  weapons  systems  which  provides  some  insight 
into  the  economic  questions  of  maintenance  in  military  systems.  The 
Naval  Air  Systems  Command  (1975)  also  produced  a management 
manual,  NAVAIR  00-25-400,  which  provided  a maintenance -plan 
analysis  guide  for  in-service  Naval  aircraft,  and  Project  Rand  at  abou  t 
the  same  time  issued  a study  from  the  Air  Force  point  of  view  (Cohen, 

1974) .  Rolf  Krahenbuhl  (1976)  discussed  the  problem  of  maintaining 
transport  aircraft  at  a meeting  given  at  Oxford.  The  British  Civil  Avia- 
tion Authority  (1976)  produced  a working  draft  on  the  safety  assess  rent 
of  systems  in  September  1976. 

Returning  to  developments  in  the  military  in  this  country,  Elwell 
and  Roach  (1976)  reported  on  the  scheduled-maintainance  problems 
ior  the  F4J  aircraft.  The  following  year  Saia  (1977)  provided  a compre- 
hensive evaluation  of  changes  in  the  U.S.  Navy  aircraft  maintenance 
program  and  LaVallee  (1977)  prepared  a Navy  report  on  logistic  support 
analysis.  Lockheed,  California,  began  an  extended  inquiry  into  the 
applicabilitv  of  reliability-centered  maintenance  to  Naval  ships  in  1977. 
The  first  report,  Availability  Centered  Maintenance  Program  Survey  (1977a) 


was  subsequently  augmented  by  scheduled-maintenance  program- 
development  procedures  (1977b). 

Each  of  the  basic  types  of  maintenance  tasks  poses  its  own  special 
problems  with  regard  to  the  selection  of  optimal  intervals,  and  in  each 
case  the  problem  must  be  further  specified  to  a particular  piece  of  equip- 
ment before  it  is  resolvable  On-condition  inspection,  for  instance,  can 
be  specified  in  terms  of  two  intervals:  the  time  to  the  first  on-condition 
inspection  and  the  repeat  intervals  after  the  first  inspection.  A recent 
article  discussing  this  problem  in  structures  (with  some  23  references)  is 
Johnson,  Heller,  and  Yang  (1977).  The  problem  was  also  discussed  in  the 
broader  context  of  an  MSG-2  analysis  of  the  Douglas  DC- 10  in  Stone  and 
Heap  (1971).  For  a nonairline  example  see  Arnett  (1976).  The  possibility 
of  mixing  random  inspections  with  regularly  scheduled  inspections  in 
structure  is  considered  in  Eggwertz  and  Lindsjo  (1970),  Study  of  In- 
spection Intervals,  which  also  contains  a useful  set  of  references. 

The  use  of  the  exponential  function  for  “random"  failures  as  a 
basis  for  choosing  inspection  intervals  for  hidden  functions  was  con- 
sidered at  length  in  Kaniins  (I960).  Two  other  Rand  reports  consider 
"noisy"  (imperfect)  inspections  (Eckles,  1967)  and  the  problem  of  mea- 
suring time  in  military  operations,  where  use  per  unit  of  calendar  time 
can  vary  widely  from  one  unit  to  the  next  (Cohen,  1972).  The  latter 
report  also  provides  some  insight  into  the  problem  of  extending  in- 
tervals in  light  of  real  operating  experience. 

Safe-life  intervals  provide  an  entirely  different  set  of  problems 
because  of  the  need  to  establish  the  intervals  through  test  results.  A 
nice  discussion  of  this  is  provided  by  Jensen  (1965),  who  said: 

It  is  not  surprising  that  we  have  reached  the  conclusion  that  fatigue 
tests  are  not  a panacea  or  cure-all  to  which  we  can  turn  in  estab- 
lishing a "safe-life."  The  assignment  of  a "safe-life"  based  on 
tests  involves  a great  many  assumptions.  If  these  assumptions  are 
wrong,  we  have  the  unpahtable  result  of  a catastrophic  failure. 

One  of  the  assumptions  in  setting  safe-life  intervals  is  that  it  is  possible 
to  accelerate  a life  test  and  determine  from  the  accelerated  test  what  can 
be  expected  later  in  real  time. 

The  deeper  question  of  whether  scheduled  overhaul  might  actually 
provide  negative  effects  is  discussed  in  two  Navy  documents  of  some 
importance,  a study  by  LaVallee  (1974)  on  aircraft  depot-level  mainte- 
nance, and  one  by  Capra  (1975)  on  engine  maintenance. 

In  the  course  of  designing  and  bringing  a piece  of  complex  equip- 
ment to  production,  there  is  a considerable  amount  of  activity  aimed  at 
ensuring  that  the  proper  safety  characteristics  and  overall  system  effec- 
tiveness '.ensures  are  met.  In  a usetul  summary  paper  Grose  (1971/)) 
piovides  a breakdown  of  the  basic  areas  of  activity  aimed  at  system 
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effectiveness:  design  review;  development  test  analysis;  failure  analysis 
and  corrective  action;  failure  modes  and  effects  analysis  (FMEA);  fault- 
tree  analysis;  life  testing;  maintainability  evaluation;  parametric- 
variability  analysis;  prediction,  apportionment,  and  assessment;  pro- 
ducibility  analysis;  stress  testing;  and  tradeoff  studies. 

There  is  now  a very  large  literature  on  the  various  aspects  of  sys- 
tem effectiveness,  much  of  it  specific  to  particular  types  of  equipment, 
such  as  electronic  components.  The  1977  Proceedings  of  the  Annual  Re- 
liability and  Maintainability  Symposium  includes  a representative  set  of 
papers.  Spoormaker  (1977)  discusses  reliability  prediction  for  airplane- 
type  springs.  Bertolino  and  Grefsrud  (1977)  consider  the  failure  analysis 
of  digital  systems  using  simulation.  Hughes,  Fischler,  and  Rauch  (1977) 
provide  some  idea  of  how  to  use  pattern  recognition  in  product  assur- 
ance. Onodera,  Miki,  and  Nukada  (1977)  discuss  a variation  of  the  fail- 
ure modes  and  effects  analysis,  which  they  call  HI-FMECA,  in  making 
a reliability  assessment  for  heavy  machinery.  Bishop  et  al.  (ll>77)  go 
over  a number  of  aspects  of  reliability  availability,  maintainability, 
and  logistics.  Dennis  (1977)  considers  prediction  of  mechanical  reliabil- 
ity, nondestructive  evaluation,  and  other  present  and  future  design 
practices.  Plouff  (1977)  provides  some  information  on  avionic  reliability 
experience  for  the  AR-104  and  the  781B. 

These  proceedings  also  have  three  rather  interesting  papers  on  re- 
liability and  maintainability  experiments.  McCall  (1977)  discusses  the 
statistical  design  of  such  experiments.  Herd  (1977)  carries  this  a step 
further,  and  Gottfried  (1977)  provides  a brief  discussion  of  the  inter- 
pretation of  statistically  designed  R & M tests. 

Other  work  in  this  general  area  includes  an  evaluation  by  Barlow 
and  Proschann  (1976o)  of  the  techniques  for  analyzing  multivariate 
failure  analysis  and  an  article  by  Cooper  and  Davidson  (1976)  of  the 
parameter  method  for  risk  analysis.  Callier,  Chan,  and  Desoer  (1976) 
consider  the  input-output  problem  using  decomposition  techniques. 
The  use  of  input-output  methods  goes  back  to  Leontif  and  has  been 
widely  used  in  an  attempt  to  analyze  complex  economic  systems.  How- 
ever, these  techniques  have  not  been  in  great  use  for  analysis  of  the 
reliability  of  a maintained  piece  of  complex  equipment  for  reasons  that 
are  clear  from  the  present  text. 

Weiss  and  Butler  (1965),  in  a paper  entitled  Applied  Reliability 
Analysis,  give  a brief  summary  of  the  basic  problem  from  design  to 
application,  the  analytic  and  information  difficulties  therein,  and  the 
typical  methods  used  to  cope  with  these  difficulties.  Another  aspect  of 
the  design  problem,  now  called  common-failure-mode  analysis,  appears 
when  a system  designed  to  have  redundant  features  to  protect  safety 
and  reliability  has  at  the  heart  a common  failure  mode  that  can  remove 
the  perfection  provided  by  the  redundancy,  A summary  discussion  in 
this  area  is  given  by  Apostolakis  (1976). 
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The  main  applications  of  reliability-centered  maintenance  as  described 
in  this  text  are  to  commercial  and  military  aircraft,  and  the  primary 
documents  that  one  should  study  to  get  a full  feeling  for  the  depth  of 
the  application  are  the  Maintenance  Review  Board  documents  for  these 
aircraft,  notably  the  Boeing  747,  the  Douglas  DC-10,  and  the  Lockheed 
L-1011.  The  simple  act  of  leafing  through  page  after  page  of  summary 
worksheets,  which  show  how  the  decisions  were  made  for  each  of  the 
significant  items,  provides  a feeling  of  the  reality  of  these  procedures  in 
practice  on  important  physical  equipment. 

However,  these  documents  are  not  widely  available,  and  they  are, 
of  course,  quite  bulky—  typically  running  tc  12  inches  or  more  of  stan- 
dard of  8V2  X 11  paper.  A much  shorter,  but  still  interesting,  overview 
of  this  process  is  provided  by  the  Orion  Service  Digest  (1976),  which 
summarizes  the  studies  for  the  Lockheed  P3  maintenance  program. 
Among  other  things,  this  document  provides  a good  picture  of  the  pack- 
aging problem,,  showing  when  the  various  tasks  have  to  be  done  and  how 
they  are  grouped  together.  The  reports  by  United  Airlines  (1974, 1975a, 
1975 b),  which  conducted  the  comparable  study  for  the  McDonnell  F4J, 
include  a fairly  short  report  on  the  analysis  process,  as  well  as  a nice 
breakdown  of  the  zonal  description  and  inspection  requirements. 

In  1975  the  Institute  for  Defense  Analyses  preoared  an  extensive  set 
of  reports  titled  Accomplishing  Shipyard  Work  for  the  United  States  Navy 
(Heinze,  1975;  Morgan  et  al„  1975).  These  reports  do  not  get  to  the  prob- 
lem of  reliability -centered  maintenance  as  currently  conceived,  but 
rather  provide  extensive  detail  on  the  context  in  which  a Navy  shipyard 
maintenance  program  must  be  implemented.  The  third  volume  of  the 
reports,  by  Heinze  (1975),  includes  an  extensive  bibliography  on  the 
subject. 

Another  picture  of  the  problem  from  the  Navy  point  of  view  was 
developed  by  the  Naval  Underwater  Systems  Center  at  New  London 
(Howard  and  Lipsett,  1976)  and  published  under  the  title  Naval  Sea 
Systems  Operational  Availability  Quantification  and  Enhancement.  This 
is  a fairly  extensive  report  that  tries  to  provide  the  overall  context  of  the 
problem,  not  just  the  maintenance  problem  itself,  and  ihe  inherent 
difficulties  in  trying  to  establish  system  effectiveness  measures,  avail- 
ability measures,  and  the  like  in  the  Naval  situation. 

At  a more  detailed  level,  the  literature  about  maintenance  of  aircraft 
can  be  broken  into  the  three  primary  major  divisions  of  the  aircraft- 
structures,  powerplnnts,  and  systems.  The  literature  on  systems  is 
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ture  on  structures  is  generally  easier  to  obtain  because  the  structure 
as  an  integrated  entity  is  generally  subject  to  the  common  problems  of 
corrosion  and  fatigue,  and  the  signals  of  reduced  resistance  to  failure 
are  primarily  those  obtained  by  inspecting  for  cracks  and  leaks. 

One  view  of  the  problem  addressed  specifically  to  maintenance 
problems  of  structures  can  be  found  in  the  Lockheed  L-1011.385-1  main- 
tenance program,  submitted  to  the  FAA  as  justification  for  this  program. 

Section  3 on  structures  is  brief,  but  to  the  point,  and  provides  useful 
background.  The  Douglas  DC-10  structural  inspection  program;  also 
developed  by  analysis  techniques  which  were  the  immediate  predeces- 
sor of  RCM  analysis,  was  described  extensively  in  a report  by  Stone 
and  Heap  (1971).  This  paper  provides  a history  of  structural  analysis 
and  a general  description  of  the  techniques  employed. 

The  literature  on  powerplant  maintenance  problems  is  quite  exten- 
sive. Rummel  and  Smith  (1973)  conducted  a detailed  investigation  cf  the  * 

reliability  and  maintainability  problems  associated  with  Anny  aircraft 
engines.  This  report  is  primarily  devoted  to  a careful  examination  of 
the  ways  that  engines  can  fail  and  the  causes  for  removals.  It  is  pertinent 
to  note  that  in  this  study  over  40  percent  of  the  engine  removals  were 
for  unknown  or  convenience  reasons.  Over  half  the  remaining  engine 
removals  were  accounted  for  by  foreign-object  damage,  improper 
maintenance,  leakage,  erosion,  operator-induced  problems,  etc.  The 
report  provides  a useful  perspective  on  the  overall  maintenance  prob- 
lem in  the  Army's  use  of  such  equipment. 

Sattai  and  Hill  (1975)  discussed  the  problems  of  designing  jet- 
engine  rotors  for  long  life.  Edwards  and  Lew  (1973)  updated  the  Taylor 
and  Nowlan  (1965)  report  on  United  Airlines'  turbine-engine  mainte- 
nance program,  and  Nowlan  (1973)  presented  a further  report  on  the 
general  background  and  development  of  this  program. 

The  Center  for  Naval  Analyses  (Capra  et  al.,  1975)  did  its  own 
survey  of  aircraft  engine  maintenance,  which  concluded  that  within 
the  current  range  of  operations  "engines  wear  in  but  do  not  wear  out." 

This  of  course,  led  to  a recommendation  that  policies  which  would 
deciease  the  number  of  overhauls  performed  and  increase  the  time 
between  overhauls  appeared  to  be  reasonable  from  a reliability  and 
safety  standpoint.  Historically,  this  report  provided  a major  impetus 
for  the  further  study  of  reliability-centered  maintenance  in  the  Navy. 

Boeing  Vertol  also  prepared  a report  on  turbine-engine  reliability 
for  the  Eustis  directorate  of  the  U.S  Army  (Rummel  and  Byrne,  1974). 

This  was  a follow-up  to  the  report  by  Rummel  and  Smith  (1973)  on  Army 
aircraft  engines  and  includes  a careful  overall  description  of  the  prob- 
lems of  maintenance  in  the  armed  services.  This  report  notes  in  partic- 
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Previous  studies  have  shown  that  maintenance  damage  is  a prob- 
lem of  similar  magnitude  in  the  three  military  services  and  is  at 
least  10  times  that  which  had  been  experienced  in  the  commercial 
airlines  service.  ; 

This  difficulty  is  at  least  partially  attributable  to  the  higher  turnover  in 
service  personnel  than  is  common  in  commercial  airlines,  which  makes 
an  important  difference  in  the  overall  picture  of  maintenance  analysis 
for  the  military.  It  becomes  even  more  critical  in  military  applications 
to  ensure  that  unnecessary  maintenance  is  carefully  eliminated  from 
the  maintenance  schedule  because  of  the  relatively  high  probability 
that  it  will  in  fact  worsen  the  condition  of  the  equipment. 

Two  recent  papers  might  also  be  mentioned,  as  they  point  the  way 
toward  increased  emphasis  on  life-cycle  analysis  and  logistics,  which 
includes,  of  course,  the  cost  of  maintenance  as  part  of  the  overall  cost 
of  operations.  Nelson  (1977)  discusses  the  life-cycle  analysis  of  aircraft 
turbine  engines  in  summary  form  from  the  executive  point  of  view. 
Benet  and  Shipman  (1977)  discuss  a logistics-planning  simulation 
model  for  Air  Force  spare-engine  management. 

Among  the  systems  applications  Cole  (1971)  provides  a useful  look 
at  effective  avionic  maintenance.  Another  example  of  a system  of  critical 
importance  is  the  helicopter  transmission;  this  system  is  not  redundant, 
and  a transmission  failure  can  have  critical  consequences  for  the  heli- 
copter. Dougherty  and  Blewitt  (1973)  published  a thorough  study  of 
the  possible  uses  of  on-condition  maintenance  for  helicopter  trans- 
missions which  provides  insight  into  the  nature  of  criticality  analysis, 
as  well  as  the  utility  of  on-condition  maintenance  as  a maintenance 
philosophy. 

Another  interesting  set  of  papers  on  reliability  theory  was  compiled 
by  Barlow,  Fussell,  and  Singpurwalla  (1975).  This  publication  includes 
papers  by  well-known  writers  on  eight  different  topics:  fault-tree  meth- 
odology, computer  analysis  of  fault  trees  and  systems,  mathematical 
theory  of  reliability,  theory  of  maintained  systems,  statistical  theory  of 
reliability,  network  reliability,  computer  reliability,  and  reliability 
and  fault- tree  applications.  It  is  an  excellent  summary  of  the  state  of 
the  art  in  this  area  as  of  1975. 
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The  first  major  bibliography  on  reliability  was  prepared  by  Menden- 
hall (1958)  and  updated  by  Govindaragulu  (1964).  The  most  recent  bibli- 
ography appears  to  be  one  by  Osaki  and  Nakagawa  (1976).  In  addition 
to  these  special  bibliographies,  a number  of  books  provide  very  useful 
annotated  bibliograph,es.  Some  of  these  already  cited  include  Duncan 
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(1953)  on  quality  control,  Barlow  and  Proschan  (1965)  on  the  mathemat- 
ical theory  of  reliability,  and  Lawrence  (1976)  on  information  science. 
It  should  also  be  noted  that  most  of  the  journal  papers  on  the  subject 
are  well-indexed  in  on-line  data  bases  and  printed  indexes.  Another 
useful  bibliography  is  one  put  together  by  the  U.S.  A*r  Force  (1977), 
which  is  broken  down  into  several  sections:  equipment  and  systems 
reliability  in  maintenance,  reliability  physics,  solid-state  applications, 
and  software  reliability  studies. 

There  are  also  several  basic  publications  that  group  together  papers 
of  direct  interest  on  this  multifaceted  subject.  The  IEEE  Transactions  on 
Reliability,  now  in  its  twenty-sixth  volume,  covers  much  of  the  reliability 
theory  and  applications  to  electronic  equipment.  From  1954  to  1965  there 
was  a yearly  National  Symposium  on  Reliability  and  Quality  Control, 
renamed  from  1966  to  1971  the  Annual  Symposium  on  Reliability.  Con- 
currently from  1962  to  1971  there  was  a Reliability  and  Maintainability 
Conference.  In  1972  these  two  activities  were  merged  as  the  Annual  Reli- 
ability and  Maintainability  Symposium,  which  is  still  the  current  title. 
As  will  have  been  noted  from  a casual  inspection  of  the  folio  wing  refer- 
ence list,  a large  number  of  the  papers  cited  in  this  bibliography  first 
appeared  in  onj  of  these  annual  proceedings. 

Adams,  H.  W.  (1969)  Increased  Safety  through  New  Maintenance  Concepts, 
Fifth  Annual  Aviation  Maintenance  Symposium,  Oklahoma  City,  Ok, 
December  9-11,  1969  (Douglas  5698). 

Aerojet  Nuclear  Systems  (1970)  Instructions  for  System  Failure-mode,  Effect,  and 
Criticality  Analysis  for  the  Nerva  Engine,  Aerojet  Nuclear  Systems  Company, 
Sacramento,  Ca,  July  1,  1970. 

Aeronautical  Radio,  Inc.  (1958)  A Selection  of  Electron  Tube  Reliability  Functions, 
Aeronautical  Radio,  Inc.,  Reliability  Research  Department,  Washington, 
DC,  1958  (ARINC  Publ.  10). 

Air  Transport  Association  (1970)  Airline! Manufacturer  Maintenance  Program 
Planning  Document:  MSG-2,  Air  Transport  Association  R&M  Subcommittee, 
Washington,  DC,  March  25,  1970. 

Altman,  Oscar  L.,  and  Charles  G.  Goor  (1946)  Actuarial  Analysis  of  the 
Operating  Life  of  B-29  Aircraft  Engines,  /.  Am.  Statist.  Assoc.,  41:lc'0-203. 

Apostolakis,  George  F..  (1976)  Effect  of  a Certain  Class  of  Potential  Common 
Mode  Failures  on  the  Reliability  of  Redundant  Systems,  Nucl.  Eng.  Des., 
36(1):123— 133. 

Arnett,  L.  M.  (1976)  Optimization  of  Inservice  Inspection  of  Pressure  Vessels, 
Energy  Research  and  Development  Administration,  Savannah  River  Lab- 
oratory, Aiken,  SC,  1974-1976. 

Ashendorf,  George  (196 7)  Pitfalls  in  Reliability  Predictions,  Aim.  Reliability 
Maintainability,  6:576-581. 

Association  of  European  Airlines  (1976)  European  Maintenance  Systems  Guide 
to  Developing  Initial  Maintenance  Programmes  for  Civil  Air  Transport: 
F.MSG-2,  Association  of  European  Airlines,  M&R  Subcommittee,  March, 
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glossary 


actuarial  analysis  Statistical  analysis  of  failure  data  to  determine  the 
age-reliability  characteristics  of  an  item. 

age  The  measure  of  a unit 's  total  exposure  to  stress,  expressed  as  the 
number  of  operating  hours,  flight  cycles,  or  other  stress  units  since  new 
or  since  the  last  shop  visit. 

age  exploration  The  process  of  collecting  and  analyzing  information* 
from  in-service  equipment  to  determine  the  reliability  characteristics 
of  each  item  under  actual  operating  conditions. 

age  at  failure  The  age  at  which  the  failure  of  a specific  unit  of  an  item 
is  observed  and  reported  (see  average  age  at  failure). 

age-reliability  characteristics  The  characteristics  exhibited  by  the 
conditional-probability  curve  which  represents  the  relationship  be- 
tween the  operating  age  of  an  item  and  its  probability  of  failure  (see 
actuarial  analysis,  conditional  probability  of  failure). 

airworthiness  directive  A Federal  Aviation  Administration  directive 
that  defines  the  scheduled  maintenance  tasks  and  intervals  necessary 
to  prevent  a specific  type  of  critical  failure.  The  directive  is  issued  after 
operating  experience  has  shown  than  the  equipment  is  exposed  to  such 
a failure,  and  the  specified  maintenance  must  be  continued  until  hard- 
ware modifications  eliminate  the  need  for  it. 

analysis  and  surveillance  See  age  exploration. 

analysis  systems  One  of  the  various  information  systems  employed 
for  monitoring  the  performance  and  reliability  of  equipment  in  opera- 
tion. 

applicability  criteria  The  specific  set  of  conditions  that  must  charac- 
terize the  failure  behavior  of  an  item  for  a given  type  of  maintenance 

task  to  be  capable  of  improving  its  reliability  (see  effectiveness  criterion).  * GLOSSARY  453 
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auditing  The  systematic  review  of  the  RCM  decision-making  process 
by  an  independent  observer. 

average  age  at  failure  The  average  of  the  failure  ages  of  all  failed  units 
of  an  item, 

average  availability  The  expected  availability  of  a hidden  function, 
given  a specified  failure-finding  task  interval. 

average  realized  life  The  expected  life  of  an  item,  computed  on  the 
basis  of  total  removals  and  total  exposure  of  all  units  of  the  item  (see 

survival  curve). 

bathtub  curve  A conditional-probability  curve  which  represents  the 
age-reliability  relationship  of  certain  items,  characterized  by  an  infant- 
mortality  region,  a region  of  relatively  constant  reliability,  and  an 
identifiable  wearout  region. 

borescope  inspection  A main  tenance  technique  that  employs  an  optical 
device  (borescope)  for  performing  visual  inspections  of  internal  parts 
of  an  assembly,  usually  through  ports  provided  for  that  purpose. 

class  number  A number  that  is  the  lowest  of  the  individual  ratings 
for  a structurally  significant  item  or  a zone,  used  to  determine  the 
relative  length  of  inspection  intervals  (see  structural  ratings ). 

complex  item  An  item  whose  functional  failure  can  result  from  any 
one  of  numerous  failure  modes  (see  simple  item). 

condition-monitoring  process  In  current  regulatory  usage,  a mainte- 
nance process  characterized  by  the  absence  of  scheauled-maintenance 
tasks.  Items  (including  those  with  hidden  functions)  remain  in  service 
until  a functional  failure  occurs,  and  their  overall  reliability  is  monitored 
by  analysis  and  surveillance  programs  (see  no  scheduled  maintenance, 
failure- finding  task). 

conditional  overhaul  A maintenance  practice  for  returning  the  time- 
since-overhaul  measure  to  zero,  in  which  the  content  of  the  work  varies 
according  to  the  condition  of  the  unit  when  it  arrives  in  the  shop.  This 
can  be  as  little  as  a postoverhaul  performance  test  or  as  much  as  complete 
disassembly  and  remanufacture. 

conditional  probability  of  failure  The  probability  that  an  item  will 
fail  during  a particular  age  interval,  given  that  it  survives  to  enter  that 
interval  (see  probability  density  of  failure). 

consequences  of  failure  The  results  of  a given  functional  failure  at  the 
equipment  level  and  for  the  operating  organization,  classified  in  RCM 
analysis  as  safety  consequences,  operational  consequences,  nonopera- 
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corrective  maintenance  The  replacement  or  repair  of  failed  items  (see 
scheduled  maintenance). 

corrosion  The  gradual  deterioration  of  a metal  or  alloy  as  a result  of 
chemical  interaction  with  its  environment. 

cost  effectiveness  Referring  to  a favorable  cost-benefit  ratio;  the  cri- 
terion of  task  effectiveness  in  preventing  any  functional  failure  that  has 
economic,  but  not  safety,  consequences  (see  effectiveness  criterion). 

cost  of  failure  For  a failure  that  has  operational  consequences,  the 
combined  cost  of  the  operational  consequences  and  the  cost  of  corrective 
maintenance;  for  a failure  that  has  nonoperational  consequences,  the 
direct  cost  of  corrective  maintenance. 

cost-tradeoff  study  See  economic-tradeoff  study. 

crack  initiation  The  first  appearance  of  a fatigue  crack  in  an  item 
subject  to  repeated  loads,  usually  based  on  visual  inspection,  bui  some- 
times based  on  the  use  of  nondestructive  testing  techniques. 

crack-propagation  characteristics  The  rate  of  crack  growth,  and  the 
resulting  reduction  in  residual  strength,  from  the  time  of  crack  initiation 
to  a crack  of  critical  length. 

critical  crack  length  The  length  of  a fatigue  crack  at  which  the  residual 
strength  of  the  item  is  no  longer  sufficient  to  withstand  the  specified 
damage-tolerant  load. 

critical  failure  A failure  involving  a loss  of  function  or  secondary 
damage  that  could  have  a direct  adverse  effect  on  operating  safety  (see 
safety  consequences). 

critical  failure  mode  A failure  mode  whose  ultimate  effect  can  be  a 
critical  failure. 

D check  See  letter  check,  major  structural  inspection. 

damage  Physical  deterioration  of  an  item  from  any  cause. 

damage-tolerant  structure  Structure  whose  residual  strength  enables 
it  to  withstand  specified  damage-tolerant  loads  after  the  failure  of  a 
significant  element  (in  some  cases  the  failure  of  multiple  elements). 

decision  diagram  In  RCM  analysis,  a graphic  display  of  the  decision 
process,  in  which  the  answers  to  an  ordered  sequence  of  yes/no  ques- 
tions lead  to  an  identification  of  the  appropriate  maintenance  action  for 
an  item. 

default  answer  In  a binary  decision  process,  the  answer  to  be  chosen 
in  case  of  uncertainty;  employed  in  the  development  of  an  initial 


scheduled-maintenance  program  to  arrive  at  a course  of  action  in  the 
absence  of  complete  information. 

direct  effect  of  failure  The  physical  effects  resulting  from  a single 
failure  which  will  be  felt  before  the  planned  completion  of  the  flight. 

discard  task  The  scheduled  removal  of  all  units  of  an  item  to  discard 
the  item  or  one  of  its  parts  at  a specified  life  limit;  one  of  the  four  basic 
tasks  in  an  RCM  program. 

dominant  failure  mode  A single  failure  mode  that  accounts  for  a 
significant  proportion  of  the  failures  of  a complex  item. 

economic  consequences  The  only  consequences  of  a functional  failure 
which  is  evident  to  the  operating  crew  and  has  no  direct  effect  on 
operating  safety  (see  rost  of  failure,  operational  consequences,  nonopera- 
tional  consequences). 

economic-life  limit  A life  limit  imposed  on  an  item  to  reduce  the  fre- 
quency of  age-related  failures  that  have  economic  consequences  (see 
safe-life  limit). 

economic-tradeoff  study  A cost  study  to  determine  whether  a proposed 
course  of  action  is  cost-effective. 

effectiveness  criterion  The  criterion  for  judging  whether  a specific  task 
would  be  capable  of  reducing  the  failure  rate  to  the  required  level  for 
the  appropriate  consequem  ' branch  of  the  decision  diagram  (see 
applicability  criteria). 

engine  flameout  The  cessation  of  the  combustion  process  in  a turbine 
engine,  resulting  in  a complete  loss  of  function  of  that  engine. 

engine  shutdown  Controlled  shutdown  of  an  engine  by  the  pilot  as  a 
response  to  evidence  of  unsatisfactory  conditions. 

event-oriented  inspection  A special  on-condition  inspection  following 
the  occurrence  of  a specific  event  that  may  have  caused  damage. 

event-oriented  system  One  of  the  various  information  systems  em- 
ployed in  the  aircraft  industry  for  collecting  data  on  specific  failure 
events. 

evident  function  A function  whose  failure  is  evident  to  the  operating 
crew  during  the  performance  of  normal  duties. 

exposure  to  stress  See  age. 

external  structural  item  Any  portion  of  the  structure  that  is  visible 
without  the  opening  of  quick-access  panels  or  the  removal  of  covering 
items. 
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fail-operational  system  A system  whose  complete  functional  capability 
remains  available  to  the  equipment  without  interruption  when  failures 
occur  within  it. 

fail-safe  system  A system  whose  function  is  replicated,  so  that  the 
function  will  still  be  available  to  the  equipment  after  failure  of  one  of 
its  sources. 

failure  An  unsatisfactory  condition;  any  identifiable  deviation  of  the 
condition  or  performance  capability  of  an  item  from  its  new  state  that 
is  unsatisfactory  to  a particular  operating  organization  (see  functional 
failure,  potential  failure). 

failure  data  The  reports  of  failure  events,  their  causes,  and  their 
consequences. 

failure  effects  The  immediate  physical  effects  of  a functional  failure 
on  surrounding  items  and  on  the  functional  capability  of  the  equipment, 
the  principal  determinant  of  failure  consequences  (see  direct  effect  of 
failure). 

failure  evidence  An  identifiable  physical  condition  by  which  the 
occurrence  of  a functional  failure  or  a potential  failure  can  be  recog- 
nized. 

failure-finding  task  Scheduled  inspections  of  a hidden-function  item 
to  find  functional  failures  that  have  already  occurred  but  were  not 
evident  to  the  operating  crew;  one  of  the  four  basic  tasks  in  an  RC'M 
program. 

failure  mode  The  specific  manner  of  failure;  the  circumstances  or 
sequence  of  events  which  leads  to  a particular  functional  failure. 

failure  observer  The  person  who  is  in  a position  to  observe  a failure, 
recognize  it  as  such,  and  report  it  for  correction. 

failure  process  The  interaction  of  stress  and  resistance  to  failure  over 
time. 

failure  rate  The  ratio  of  the  number  of  failures  of  an  item  during  a 
specified  period  to  the  total  experience  of  all  units  in  operation  during 
that  period,  usually  expressed  as  failures  per  1,000  operating  hours. 

failure  substitution  In  maintenance,  the  use  of  a potential  failure  to 
preempt  a functional  failure;  in  design,  the  use  of  an  item  whose  failure 
has  minor  consequences  to  preempt  a failure  that  would  have  major 
consequences. 

fatigue  Reduction  in  the  failure  resistance  of  a material  over  time  as  a 
result  of  repeated  or  cyclic  applied  loads. 
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fatigue  life  For  an  item  subject  to  fatigue,  the  total  time  to  crack 
initiation  (sec  thick  initiation,  crack-propagation  characteristics). 

fleet-leader  concept  The  concentration  of  sample  inspections  on  the 
pieces  of  equipment  which  have  the  highest  operating  ages  to  identify 
the  first  evidence  of  changes  in  their  condition  with  increasing  age, 

flight  cycles  A measure  of  exposure  to  the  stresses  associated  with  the 
conduct  of  individual  flights,  expressed  as  the  number  of  ground-air 
cycles. 

flight  hours  A measure  of  operating  age,  expressed  as  the  number  of 
operating  hours  from  takeoff  to  landing. 

flight  log  In  commercial  aviation,  the  official  record  of  each  flight,  the 
primary  communication  link  between  the  operating  crew  and  the  main- 
tenance crow. 

forced  sample  An  inspection  sample  obtained  by  special  disassembly 
solelv  for  access  to  that  item  (see  opportunity  sample). 

function  The  normal  or  characteristic  actions  of  an  item,  sometimes 
defined  in  terms  of  performance  capabilities. 

functional  failure  Failure  of  an  item  to  perform  its  normal  or  charac- 
teristic actions  within  specified  limits. 

functionally  significant  item  An  item  whose  loss  of  function  would 
have  significant  consequences  at  the  equipment  level  (see  structurally 
significant  item). 

hard-time  process  In  current  regulatory  usage,  scheduled  removal  of 
all  units  of  an  item  before  some  specified  maximum  permissible  age 
limit. 

hidden- failure  consequences  The  risk  of  a multiple  failure  as  a result 
of  an  undetected  earlier  toilure  of  a hidden- function  item;  one  of  the 
four  consequence  branches  of  the  KCM  decision  diagram. 

hidden  function  A function  whose  failure  will  not  he  evident  to  the 
operating  crow  during  the  performance  of  normal  duties. 

hidden- function  item  Anv  item  whose  functions  include  a hidden 
function. 

improvable  failure  rate  Fhe  difference  between  the  failure  rate  of  an 
item  on  newly  designed  equipment  and  the  expected  failure  rate  after 
product  improvement  to  eliminate  dominant  failure  modes;  this  reduc- 
tion in  the  failure  rate  is  generally  exponential  and  can  be  predicted 
trom  early  lathi  re  data. 
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imputed  cost  The  economic  value  assigned  to  operational  conse- 
quences as  an  opportunity  cost. 

infant  mortality  The  relatively  high  conditional  probability  of  failure 
during  the  period  immediately  after  an  item  enters  service. 

inherent  reliability  level  The  level  of  reliability  of  an  item  or  of  equip- 
ment that  is  attainable  with  an  effective  scheduled  maintenance  pro- 
gram. 

inherent  reliability  characteristics  The  design  characteristics  of  an 
item  that  determine  its  inherent  level  of  reliability,  including  the 
characteristics  that  determine  the  feasibility  and  cost  effectiveness  of 
scheduled  maintenance 

inherent  safety  level  The  level  of  satety  of  an  item  or  of  equipment 
that  is  associated  with  its  inherent  reliability  level. 

initial  maintenance  program  The  scheduled-maintenance  tasks  and 
associated  intervals  developed  for  new  equipment  before  it  enters 
service. 

initial  task  intervals  The  task  intervals  assigned  in  a prior-to-service 
maintenance  program,  subject  to  adjustment  on  the  basis  of  findings 
from  actual  operating  experience. 

inspection  task  A scheduled  task  requiring  testing,  measurement,  or 
visual  inspection  for  explicit  failure  evidence  by  maintenance  person- 
nel (see  on-condition  task,  failure-finding  task), 

internal  structural  item  Any  portion  of  the  structure  whose  inspection 
requires  the  opening  of  access  doors  or  the  removal  of  covering  items, 

item  Any  level  of  the  equipment  or  its  sets  of  parts  (including  the 
equipment  itself)  isolated  as  an  entity  for  study. 

items  that  cannot  benefit  from  scheduled  maintenance  Items  for 
which  no  maintenance  tasks  can  be  found  that  are  both  applicable  and 
effective, 

letter  check  In  the  airline  industry,  the  alphabetic  designations  given 
to  scheduled-maintenance  packages. 

life  See  conditional  probability  of  failure,  probability  of  survival. 

life-limit  task  A scheduled  discaiu  task  (see  safe-life  limit,  economic- 
life  limit). 

line  maintenance  Scheduled  and  correct!  e work  performed  by  mech- 
anics at  a line  station  that  has  been  designated  as  - maintenance  station, 
usually  consisting  of  inspection  tasks  that  can  be  pertormed  on  items 
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in  their  installed  position  and  the  replacement,  rather  than  repair,  of 
failed  units  (see  shop  maintenance). 

lubrication  tasks  Scheduled  tasks  to  assure  the  existence  of  complete- 
ness of  lubrication  films;  usually  performed  at  intervals  specified  by 
the  manufacturer. 

maintainability  The  ease  with  which  scheduled  or  corrective  main- 
tenance can  be  performed  on  an  item. 

maintenance  base  The  major  maintenance  facility  of  an  operating 
organization,  staffed  and  equipped  to  perform  shop  maintenance  and 
heavy  maintenance  on  the  equipment  itself  (see  shop  maintenance). 

maintenance  package  A group  of  maintenance  tasks  scheduled  for 
accomplishment  at  the  same  time. 

Maintenance  Review  Board  A designated  group  of  FAA  inspectors, 
each  with  specialized  skills,  which  is  charged  with  the  responsibility 
of  approving  the  initial  maintenance  program  for  a new  commercial 
transport  aircraft. 

maintenance  station  A line  station  staffed  and  equipped  to  perform 
line  maintenance  (see  line  maintenance). 

major  structural  inspection  The  maintenance  visit  that  includes  inspec- 
tion of  most  structurally  significant  items,  called  the  D check  in  the 
airline  industry. 

mean  time  between  failures  The  ratio  of  total  operating  experience 
of  all  units  of  an  item  during  a specified  period  to  the  number  of  failures 
during  that  period;  the  reciprocal  of  the  failure  rate. 

monitoring  system  One  of  the  various  information  systems  employed 
in  the  aircraft  industry,  consisting  of  periodic  summaries  of  the  relia- 
bility dafa  reported  by  event-oriented  systems. 

MSG-1  A working  paper  prepared  by  the  747  Maintenance  Steering 
Group,  published  in  July  1968  under  the  title  Handbook:  Maintenance 
Evaluation  and  Program  Development  (MSG-1):  the  first  use  of  decision- 
diagram  techniques  to  develop  an  initial  schedulea-maintenance  pro- 
gram. 

MSG-2  A refinement  of  the  decision-diagram  procedures  in  MSG-1, 
published  in  March  1970  under  the  title  MSG-2:  Airline/ Manufacturer 
Maintenance  Program  Planning  Document:  the  immediate  precursor  of 
RCM  methods. 

multiple  failure  A failure  event  consisting  of  the  sequential  occurrence 
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that  would  not  be  produced  by  any  of  the  failures  occurring  separately 
(see  hidden-failure  consequences). 

no  scheduled  maintenance  A maintenance  term  used  to  categorize 
items  that  have  been  assigned  no  scheduled  tasks,  either  because  they 
cannot  benefit  from  scheduled  maintenance  or  because  the  information 
nec  ;ssary  to  determine  the  applicability  and  effectiveness  of  a proposed 
task  must  be  derived  from  operating  experience. 

nonoperational  consequences  The  economic  consequences  of  a failure 
that  does  not  affect  safety  or  operational  capability,  consisting  of  the 
direct  cost  of  corrective  maintenance;  one  of  the  four  consequence 
branches  of  the  RCM  decision  diagram. 

nonsignificant  item  An  item  whose  failure  is  evident  to  the  operating 
crew,  has  no  direct  effect  on  safety  or  on  the  operational  capability  of 
the  equipment,  and  involves  no  exceptionally  expensive  failure  modes; 
nonsignificant  items  that  have  no  hidden  functions  are  assigned  to  no 
scheduled  maintenance  in  an  initial  maintenance  program. 

on-condition  process  In  current  regulatory  usage,  scheduled  inspec- 
tions, tests,  or  measurements  to  determine  whether  an  item  is  in,  and 
will  remain  in,  a satisfactory  condition  until  the  next  scheduled  inspec- 
tion, test,  or  measurement  (see  on-condition  task). 

on-condition  task  Scheduled  inspections  to  detect  potential  failures; 
one  of  the  four  basic  tasks  in  an  RCM  program. 

operating  crew  In  the  airline  industry,  the  flight  and  cabin  crew,  the 
primary  source  of  reports  of  functional  failures. 

operating  information  Reliability  information  derived  from  actual 
operating  experience  with  the  equipment  after  it  enters  service. 

operational  consequences  The  economic  consequences  of  a failure 
that  interferes  v/ith  the  planned  use  of  the  equipment,  consisting  of  the 
imputed  cost  of  the  lost  operational  capability  plus  the  cost  of  corrective 
maintenance;  one  of  the  four  consequence  branches  of  the  RCM  decision 
diagram. 

opportunity  sample  An  item  available  for  inspection  at  the  mainte- 
nance base  during  the  normal  disassembly  of  failed  units  for  repair. 

overhaul  In  current  regulatory  usage,  the  maintenance  operations 
which  form  the  basis  for  returning  the  measure  of  time  since  overhaul 
to  zero,  accomplished  by  the  shop  as  specified  in  the  overhaul  manual 
(see  conditional  overhaul,  rework  task). 

partitioning  process  The  process  of  dividing  complex  equipment  into 
convenient  entities  for  analysis. 
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performance  requirement  The  standard  of  performance  for  an  item 
defined  as  satisfactory  by  an  operating  organization. 

phase  check  A maintenance  package  subdivided  into  sets  of  tasks  to 
be  accomplished  at  successive  occasions  of  a more  frequent  lower-level 
check. 

potential  failure  An  identifiable  physical  condition  which  indicates 
that  a functional  failure  is  imminent. 

powerplant  division  One  of  the  three  major  divisions  of  an  aircraft, 
consisting  of  the  basic  engine  and  in  some  cases  including  the  thrust 
reverser  and  other  quick-engine-change  parts. 

preload  An  unintended  sustained-load  condition  caused  by  design, 
fabrication,  o.  assembly  errors. 

premature  removal  Unscheduled  removal  of  a unit  because  of  a sus- 
pected or  actual  potent i i or  functional  failure. 

preventive  maintenance  See  scheduled  maintenance. 

prior-to-service  program  See  initial  maintenance  program. 

probability  density  of  failure  The  probability  that  an  item  will  fail 
in  a defined  age  interval;  the  difference  between  the  probability  of 
survival  to  the  start  of  the  interval  and  the  probability  of  survival  to 
the  end  of  the  interval  (see  conditional  probability  of  failuie). 

probability  of  survival  The  probability  that  an  item  will  survive  to  a 
specified  operating  age,  under  specified  operation  conditions,  without 
failure  (see  survival  curve). 

product  improvement  Design  modifications  of  an  existing  item  to 
improve  its  reliability,  usually  in  response  to  information  derived  from 
operating  experience  after  the  equipment  enters  service. 

purging  The  periodic  review  of  a scheduled-maintenance  program  to 
eliminate  tasks  that  are  superfluous  or  no  longer  effective. 

RCM  analysis  Use  of  the  RCM  decision  diagram  to  analyze  the 
maintenance  requirements  of  complex  equipment  according  to  the 
consequences  of  each  failure  possibility  and  the  inherent  reliability 
characteristics  of  each  item. 

RCM  program  A scheduled-maintenance  program  consisting  of  a set  of 
tasks  each  of  which  is  generated  by  RCM  analysis. 

RCM  task  A scheduled-maintenance  task  vvhich  satisfies  the  specific 
applicability  criteria  for  that  type  of  task  (see  on-condition  task,  rework 
462  GLOSSARY  task,  discard  task,  failure-finding  task). 


reduced  resistance  to  failure  Physical  evidence  of  a deterioration  in 
the  condition  or  performance  of  individual  units  of  an  item  which  can 
be  used  to  define  a potential-failure  condition  for  that  hem  (see  wearout 
characteristics). 

redundancy  The  design  practice  of  replicating  the  sources  of  a function 
so  that  the  function  remains  available  after  the  failure  of  one  or  more 
items. 

reliability  See  probability  of  survival. 

reliability-centered  maintenance  A logical  discipline  for  developing  a 
scheduled-maintenance  program  that  will  realize  the  inherent  reliabil- 
ity levels  of  complex  equipment  at  minimum  cost  (see  RCM  analysis). 

reliability  data  All  the  failure  data,  inspection  findings,  and  other 
information  derived  from  the  actual  service  history  of  each  item. 

reliability  function  See  survival  curve. 

reliability  growth  The  improvement  in  the  reliability  of  a new  item 
as  a result  of  product  improvement  after  the  equipment  enters  service 
(see  improvable  failure  rate). 

reliability  index  One  of  several  quantitative  descriptions  of  failure 
data  (see  failure  rate,  probability  density  of  failure,  probability  of  survival, 
conditional  probability  of  failure). 

residual  failure  rate  The  remaining  failure  rate  of  on  item  after  all 
applicable  and  effective  scheduled-maintenance  tasks  are  performed. 

residual  strength  The  remaining  load-carrying  capability  of  a damage- 
tolerant  structural  assembly  after  the  failure  of  one  of  its  elements 
(see  damage-tolerant  structure). 

resistance  to  failure  The  ability  of  an  item  to  withstand  the  stresses 
to  which  it  is  exposed  over  time  (see  reduced  resistance  to  failure). 

rework  task  The  scheduled  removal  of  all  units  of  an  item  to  perform 
whatever  maintenance  tasks  are  necessary  to  ensure  that  the  item 
meets  its  defined  condition  and  performance  standards;  one  of  the  four 
basic  tasks  in  an  RCM  program  (see  overhaul). 

safe-life  limit  A life  limit  imposed  on  an  item  that  is  subject  to  a 
critical  failure,  established  as  some  fraction  of  the  average  age  at  which 
the  manufacturer's  test  data  show  that  failures  will  occur. 

safe-life  structure  Structure  that  it  is  not  practical  to  design  to  damage- 
tolerant  criteria;  its  reliability  is  protected  by  conservative  safe-life 
limits  that  remove  elements  from  service  before  failures  are  expected. 
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safety  consequences  The  consequences  of  a functional  failure  that 
could  have  a direct  adverse  effect  on  the  safety  of  the  equipment  and 
its  occupants;  one  of  the  four  consequence  branches  of  the  RCM  de- 
cision diagram. 

scheduled  raaintenance  Preventive-maintenance  tasks  scheduled  to 
be  accomplished  at  specified  intervals  (see  corrective  maintenance). 

scheduled  removal  Removal  of  serviceable  unit  at  some  specified  age 
limit  to  perform  a rework  or  a discard  task  (see  premature  removal). 

secondary  damage  The  immediate  physical  damage  to  other  parts  or 
items  that  results  from  a specific  failure  mode. 

servicing  tasks  Scheduled  tasks  to  replenish  fluid  levels,  pressures, 
and  consumable  supplies. 

shop  maintenance  Scheduled  and  corrective  work  performed  by 
mechanics  at  the  maintenance  base,  usually  consisting  of  inspection 
tasks  that  require  disassembly  of  the  item,  scheduled  rework  and  discard 
tasks,  and  the  repair  of  failed  units  removed  from  the  equipment  at  line 
maintenance  stations  (see  line  maintenance). 

significant  item  An  item  whose  functional  tailures  have  safety  or  major 
economic  consequences  (see  functionally  significant  item , structurally 
significant  item). 

simple  item  An  item  whose  functional  failure  is  caused  by  only  one 
or  a very  few  failure  modes  (see  complex  item). 

spectrum  hours  The  current  flight  histor)  of  an  aircraft  structure 
expressed  in  terms  of  the  spectrum  loading  pattern  used  in  the  manu- 
facturer's original  fatigue  tests. 

stress  The  interaction  of  an  item  with  its  environment;  the  physical 
processes  that  reduce  resistance  to  failure. 

stress  corrosion  Spontaneous  collapse  of  metal  with  little  or  no  macro- 
scopic signs  of  impending  failure,  caused  by  the  combined  effects  of 
environment  and  tensile  stress. 

structure  division  One  of  the  three  major  divisions  of  an  aircraft, 
consisting  of  the  basic  airframe  and  its  load-carrying  elements. 

structural  inspection  plan  The  set  of  on-condition  tasks  and  their 
intervals  assigned  to  structurally  significant  items. 

structural  ratings  Individual  ratings  for  each  of  the  factors  affecting 
the  failure  resistance  of  a major  structural  assembly,  used  to  determine 


the  class  i .umber  that  defines  the  relative  length  of  maintenance  inter- 
vals (see  class  number). 

structurally  significant  item  The  specific  site  or  region  that  is  the  best 
indicator  of  the  condition  of  a structural  element  whose  failure  would 
result  in  either  a material  reduction  in  residual  strength  or  the  loss  of  a 
basic  structural  function. 

survival  curve  A graph  of  the  probability  of  survival  of  an  item  as  a 
function  of  age,  derived  by  actuarial  analysis  of  its  service  history. 
The  area  under  the  curve  can  be  used  to  measure  the  average  realized 
age  (expected  life)  of  the  item  under  consideration. 

system  A set  of  components  and  their  connecting  links  that  provide 
some  basic  function  at  the  equipment  level. 

systems  division  One  of  the  three  major  divisions  of  an  aircraft,  con- 
sisting of  all  systems  items  except  the  powerplant. 

task  An  explicit  scheduled-maintenance  activity  performance  by  me- 
chanics. 

teardown  inspection  The  complete  disassembly  of  a serviceable  item 
that  has  survived  to  a specified  age  limit  to  examine  the  condition  of 
each  of  its  parts  as  a basis  for  judging  whether  it  would  have  survived 
to  a proposed  higher  age  limit. 

technologically  useful  life  The  length  of  time  equipment  is  expected 
to  remain  in  service  before  technological  changes  in  new  designs  render 
it  obsolete. 

time-expired  unit  A serviceable  unit  that  has  reached  an  age  limit 
established  for  that  item. 

time-extension  sample  A unit  designated  for  special  analysis  of  in- 
spection findings  as  the  basis  for  extending  task  intervals. 

time  since  last  shop  visit  The  operating  age  of  a unit  since  its  last  shop 
visit  for  repair  or  rework. 

time  since  overhaul  The  operating  age  of  a unit  since  its  last  over- 
haul; in  current  usage,  time  since  last  shop  visit. 

time  since  rework  The  operating  age  of  a unit  since  it  was  last  re 
worked. 

unverified  failures  Units  removed  from  the  equipment  because  of 
suspected  malfunctions  and  subsequently  determined  by  shop  inspec- 
tions and  tests  to  be  in  an  unfailed  condition. 


verified  failures  Units  confirmed  to  have  experienced  a functional 
failure. 

walkaround  inspection  Scheduled  general  inspection  by  line  mechan- 
ics of  those  portions  of  the  equipment  that  are  visible  fro  \ the  ground, 
used  as  a vehicle  for  certain  specific  on-condition  tasks. 

wearout  characteristics  The  characteristics  of  a conditional-probability 
curve  that  indicate  an  increase  in  the  conditional  probability  of  failure  of 
an  item  with  increasing  operating  age  (see  reduced  resistance  to  failure). 

wearout  region  The  portion  of  the  conditional-probability  curve  that 
shows  a marked  increase  in  the  conditional  probability  of  failure 
after  an  identifiable  age. 

zero-time  To  restore  the  operating  age  of  a unit  to  zero  by  means  of 
inspection,  rework,  or  repair. 

zonal-installation  inspections  Scheduled  general  inspections  of  the 
installed  items  in  each  geographic  zone,  including  inspection  of  those 
portions  of  the  internal  structure  that  can  be  seen  with  all  installations 
in  place. 
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A check,  109-110,  285-286,  316-319 
Acceleration  recorders,  34 
Accident  statistics,  338-339 
Accidental  damage,  114,  129,  238 
effect  on  fatigue  life,  84,  235 
Accidental-damage  ratings,  structurally  significant 
items,  241-246 
zonal  installation,  281 

Actuarial  analysis,  39-48,  57-58,  123-126,  390-419 
data  from  defined  calendar  period,  395-402 
homogeneous  population,  395-408 
to  justify  rework  tanks,  48,  325-326,  263 
life-test  data,  391-395 
limitations  of,  390-391 
mixed  population,  124-126,  408-411 
smoothing  problem,  402—108 
useful  probability  distributions,  411-416 
uses  in  age  exploration,  123-126,  227 
see  also  age-reliability  relationship 
Actuator  endcap,  flight-control  system,  161 
landing  gear,  191-192,  311-312 
Age,  33 

measures  of,  33-34 
operating  age,  304,  408-409 
Age  at  failure,  35,  393 
complex  items,  38-39,  47 
simple  items,  35-37,  48,  60 
see  also  average  age  at  failure,  probability  of 
survival 

Age  distribution  of  operating  fleet,  105,  123 


Age  exploration,  106-108,  113,  114-115,  292, 
actuarial  analysis,  123-126 
to  adjust  task  intervals,  122,  192-193,  324-325 
to  determine  applicability  of  rework  tasks,  57, 
224-225,  305-306,  309-311,  325-326,  361 
to  identify  needs  for  product  improvement, 
128-135 

information  requirements,  155,  293-297,  367-368 
opportunity  sampling,  108,  224,  225,  307,  314,  315 
powerplant  items,  106-107,  224-227,  312-316 
structural  items,  107,  273,  275,  316-323 
systems  items,  107-108,  192-193,  308-312 
Age-exploration  cycle,  155-156,  325 
Age  grouping,  403 
Age  intervals.  398 

Age  limit,  applicability  of,  46-48,  56-61,  390-391 
effect  on  age  exploration,  225,  227,  307 
effect  on  average  realized  life,  41-42,  57-58 
effect  on  inventory  problems,  325,  417-419 
effect  on  failure  rate,  44-45 
see  also  discard  tasks,  rework  lasks,  scheduled 
overhaul 

Age-reliability  relationship,  40-49 
characteristics  of  complex  items,  46-4q 
characteristics  of  simple  items,  47-48,  56 
dominant  failure  modes,  48,  57,  118-119, 

310,  319 

probability  of  survival,  40-42 
wearout  characteristics,  43-44,  47 
Age-reliability  relationships,  Boeing  727  constant- 


speed  drive,  303-305 
Boeing  727  generator,  310 
General  Electric  CF6-6  engine,  124-125 
patterns  of,  46-48 

Pratt  & Whitney  JT8D-7  engine,  44,  226 
Pratt  & Whitney  R-2800  CA  15  engine,  374 
Wright  R-3350  TC-18  engine,  374 
Air  Transport  Association,  5,  386-387 
Airborne  integrated  data  systen  (AIDS),  127 
Airbus  Industrie  A-300,  5,  386 
Air-conditioning  pack,  Douglas  DC-10,  164-170 
Aircraft  maintenance  information  ystem,  2% 
Airplane  overhaul,  249,  274 
see  also  major  structural  inspection: 
Airworthiness,  see  safety  levels 
Airworthiness  directives,  Boeing  747,  floor-beam 
inspection,  322-323 
history  of,  135-136 

Airworthiness  requirements,  powcrplants,  195 
structure,  230-231 
systems,  339-340 

Alert  rate,  chronic  maintenance  problems,  301 
engine  shutdown,  377 
failure,  382 

Alert  system,  safety,  135,  247 
see  also  information  systems 
Analysis  of  failure  data,  301-307 
see  also  actuarial  analysis 
Analysis  and  surveillance  program,  FAA,  1 54 
Applicability  criteria  for  maintenance  tasks,  49, 
50-51,  68-69,  142,  359-360 
discard  tasks  cconomic-life,  60-61 
safe-life,  59-60 
failure-finding  tasks,  62-63 
on-condition  tasks.  51-57 
rework  tasks,  56-58 
Applied  loads,  36,  228,  230-231,  331 
Auditing  process,  152,  157,  350-369 
analysis  of  equipment,  '’62-36"’ 
decision  process,  354-362 
ongoing  program,  367-368 
packaging,  367 
powerplant  analysis,  3o3-364 
program-development  project,  351-354 
programs  for  in-service  aircraft,  368-369 
structure  analysis,  364-366 
systems  analysis,  362-36 3 
Average  age  at  failure,  38-39,  60,  143,  393,  412 
Average  fatigue  life,  243,  320 


Average  realized  life,  42-44 
Average  stress  level,  37 

B check,  109-110,  285-287,  288 
Bathtub  curve,  45,  47 
see  also  conditional  probability  of  failure 
Bearing  failure,  accessory  drive,  Pratt  & Whitney 
JT8D-7,  207,  211-213 
elevator,  Douglas  DC  8,  326-327 
generator,  Boeing  727,  126,  309-310 
Bird  strike,  set’  accidental  damage 
Boeing  720,  hydraulic  system,  384 
Boeing  727,  automatic-takeoff  thrust  control,  340 
constant-speed  drive,  303-306 
generator,  126,  309-310 
MSG-2  review  of  systems  program,  344-345 
rate  of  fleet  gm.vth,  105 
Boeing  737,  hydraulic  system,  385 
powerplant,  see  Tratt  & Whitney  JT8D-7  engine 
shock  strut,  main  landing  gear,  12 
Boeing  747,  airworthiness  directives,  135-137 
change-order  authorizations,  135-137 
failure  reports  by  operating  crew,  21 
floor-beam  failure,  322 
high-frequency  communications  subsystem, 
186-190 

initial  maintenance  program,  5 
maintenance  manhours,  74-75 
maintenance-package  contents,  288-289 
major  structural  inspections,  6,  274-275 
overhaul  (rework)  items  in  initial  piogram,  192 
purging  of  maintenance  program,  328 
rate  of  fleet  growth,  105 
toilets,  on-condition  task  for,  308-309 
zone  numbering  system,  279 
Borescope  inspections,  52,  71,  76,  127,  198 
Brake  assembly,  main  landing  gear,  Douglas  DC-10, 
12,  178-186 

Brake  wear  indicator,  179,  183 

Broomstick  check,  71 

Built-in  test  equipment,  150,  163,  303 

C check,  109-110,  285-287,  288-289 
C-sump  problem,  General  Electric  CF6-6,  313 
Cancellations,  see  operational  consequences 
Certification,  new  aircraft,  106,  231 
new  engines,  199 

Change-order  authorizations,  Boeing  747, 

135-137 
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Chronic  maintenance  problems,  301,  303 
Class  number,  struct  ‘.rally  significant  items,  244-295 
zonal  inspections,  280-281 
see  also  structural  inspection  plan 
Cockpit  instrumentation,  34,  61,  127,  159,  163, 

196,  357 

Combustion  chambers,  216 
Communications  system,  high-frequency, 

Boeing  747,  186-190 

Complex  equipment,  maintenance-redesign  cycle, 
156,  324-327 

reliability  problems  in,  9-11,  388 
role  of  product  improvement  in  development, 
75-77,  128-137 
Complex  items,  37 
age-reliability  characteristics,  47-48 
average  age  at  failure,  38-39 
dominant  failure  modes,  38,  119: 

Component  Reliability  Program,  ‘378 
Compressor,  assembly,  121 
blades,  12,  216 
disks,  118 
rear  frame,  12 
see  also  turbine  blades 
Concorde,  5,  386 

Condition-monitoring  process,  o5-66,  345 
Conditional  overhaul,  72,  383 
Conditional  probability  of  failure,  43-44,  398 
patterns  of,  46-48 
see  also  age-reliability  relationship 
Conditional-probability  curve,  43 
Configuration  deviation  list  (CDL),  163,  358 
Consequences  ot  failure,  25-31 
h-layed,  88-89 

effectiveness  criteria  for  tasks,  51,  86-89, 

91-96,  360 

evaluation  of,  86-89,  357-358 
hidden-failure  consequences,  28 
impact  on  maintenance  decisions,  7,  25,  104, 
116-121,  293 

as  inherent  reliability  characteristic,  104,  342,  388 
multiple  failures,  29-30 
nonoperational  consequences,  27-28 
operat  nal  consequences,  27,  85 
role  of  design,  11,  75-76,  85,  140-141,  159-161, 
230-237,  342,  347,  388 
safety  consequences,  25-26 
Constant-speed  drive,  Boeing  727,  303-306 
Douglas  DC-8,  378 


Controller,  see  maintenance  controller 
Corrective  maintenance,  11 
cost  of  failure,  27,  95-96 
deferral  of,  13,  22,  30,  83-89,  249 
Corrosion,  236 
effect  on  fatigue  life,  84,  236 
environmental  factors,  236,  237,  243,  248 
prevention,  236,  312 
stress  corrosion,  236 

Corrosion  ratings,  structurally  significant  items, 
243-244 

Cost  data,  see  economic-tradeoff  study 
Cost  of  default  decisions,  98-99 
Cost  of  failure,  see  economic  consequences 
Cost  effectiveness,  52,  70,  98-103,  130-134 
of  basic  tasks,  67-6r» 

as  criterion  of  task  effectiveness,  52,  57-58,  61, 
63,  68-69,  95-96,  102,  363 
determination  for  applicable  task,  100-103 
determination  for  product  improvement, 

130-134,  323 

impact  of  inherent  reliability  characteristics, 
103-104 

Cost-tradeoff  analysis,  see  economic-tradeoff  study 
Crack,  see  fatigue  crack 
Crack  initiation,  233 
see  also  fatigue  life 

Crack- propagation  characteristics,  106-107,  208, 
232-233 

Crack-propagation  ratings,  structuially  significant 
items,  241-246 
Crew.,  see  operating  crew 
Critical  crack  length,  233,  248,  323 
Critical  failures,  26 

powerplant  items,  85-86,  116-117,  194,  198,  204, 
205-211,313,358 
product  improvement,  128-137 
structural  items,  84,  228-229,  230,  252-257 
systems  items,  158,  161,  170-178 
unanticipated,  115,  116-118,  135-136,  293 
see  also  safety  consequences 
Cumulative  failure  number,  402-404 
Cyclic  loads,  see  applied  load 

D check,  249,  252,  285-287,  289,  319-320 
Daily  operations  report,  296 
Damage,  see  accidental  damage,  reduced 
resistance  to  failure 

Damage-tolerant  (fail-safe)  design,  234,  320 
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Damage-tolerant  strength.  233-234,  242,  335-336 
Damage  toleiant  structural  items,  237,  239, 

253-254,  256-257 

see  tilso  structural  inspection  plan,  structures 
Data  elements  for  analysis,  see  information 
requirements 

Decision-diagram  approach,  history  of,  4-6,  384, 
385-386 

MSG-1,  4-5,  385-386 
MSG-2,  5,  386 

Decision  diagrams,  cost  effectiveness  of  product 
improvement,  132 

cost  effectiveness  of  applicable  task,  101 
evaluation  of  failure  consequences,  88 
evaluation  of  proposed  tasks,  90 
RCM  decision  diagram,  92-93,  143,  i60,  209, 

212,  253 

structural  inspection  plan.  240 
Decision  making,  in  absence  of  information, 

7Q,  07-99 

bounding  of  problem,  78,  114,  152 
RCM  decision  process,  86-99 
see  also  RCM  analysis 
Decision  worksheet,  151-153 
Default  decisions,  95-96,  97-99 
cost  of,  99,  105 
failure-finding  tasks,  62 
role  of  default  strategy,  97,  361 
Deferred  repairs,  13,  22_,  30,  88-89,  249 
Delays,  see  operational  consequences 
Delay  and  cancellation  summary,  294,  299 
Depot,  see  maintenance  base 
Design,  damage-tolerant,  234 
fail-operational,  160 
fail  safe,  159 
safe-life,  .234 

see  nl  nsequences  of  failure 
Design  changes,  see  product  improvement,  redesigr 
Design  characteristics,  complex  equipment,  9-11, 
75-76,  140-141,  161,  347 
powerplant  items.  7b,  196-199,  201 
structural  items,  75-76,  229,  230-237 
systems  items,  75-76,  159-161.  163 
Design  goals,  performance  capabilities,  10 
structural,  235,  247-248 
Design  loads,  230-231,  234 
Design-maintenance  partnership,  24,  135-136, 
153-157,  341-342 

Detailed  inspections,  structurally  significant 


items,  238 

Detection  of  failures,  20-24 
failure-finding  tasks,  50,  61,  190  -191 
on-condition  tasks,  50,  51-t>2 
role  of  the  operating  crew,  20-22 
verification  of  failures,  22-24,  125 
sec  also  evidence  of  failure 
Deterioration,  see  reduced  resistance  to  failure 
Developmental  testing,  powerplant  items,  199 
safe-life  limits,  59-60 
structural  items,  231,  248 
see  also  test  data 

Diagnostic  techniques,  see  inspection  technology 
Discard  tasks,  50,  58-61,  359-360 
applicability  criteria,  economic-life,  61,  98 
safe-life,  59,  98,  359-360 
characteristics  of,  66,  68-69 
control  of  critical  failures,  58-60,  68,  381,  388 
cost  effectiveness,  58,  61,  68-69,  9!! 
task  intervals,  see  safe-life  limits 
Dispatch  reliability,  135,  370 
see  also  operational  consequences 
Dominant  tailure  modes,  38 
applicability  of  age  limit,  48,  57,  310 
effect  of  product  improvement,  '.19,  227 
Douglas  A-4  fuel  pump,  12,  170-178 
Douglas  DL-8,  cabin  compressor,  378 
constant-speed  drive,  378 
elevator  bearings,  326-327 
freon  compressor,  378 
generatoi  and  bus-tie  relay,  310 
hydraulic  pump,  ,378-379 
major  structural  inspections,  6,  27*’  -275 
overhaul  (rework)  items  in  initial  program,  5,  372 
premature- removal  rate  of  systems  items,  373 
Douglas  DC-10,  air-conditioning  pack,  161-170 
brake  assembly,  main  landing  gear,  178-186 
fatigue-life  design  goal,  235 
initial  maintenance  program,  5,  163,  246-248, 
256-257 

landing-gear  actuator  end  cap,  31 1 

oveihaul  (rework)  items  in  initial  program,  5,  192 

powerplant,  see  General  Electric  CF6-6  engine 

rate  of  fleet  growth,  105 

rear  spar  at  bulkhead  intersection,  12 

shock-strut  outer  cylinder,  267-273 

spar  cap,  wing  rear  spar,  260-267 

walkaround  inspection  plan,  282 

wing-to-fuselage  attach  tee,  258-260 
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Economic  benefits  of  RCM  programs,  5-6,  138,  343, 
347-348 

Economic  consequences,  7,  27,  95-% 
see  u/s 0 uonoperational  consequences,  operational 
consequences 
Economic-life  limits,  60-61 
see  also  discard  tasks 
Economic-tradeoff  study,  102-103,  134 
to  justify  product  improvement,  134 
to  justify  rework  task,  102-103,  361 
sir  also  cost  effectiveness 
Eddy-current  inspection,  127,  238 
Effectiveness  criteria  for  maintenance  tasks,  48, 
50-51,  87-89,  94-96,  360 
hidden-failure  consequences,  96 
nonoperational  consequences,  9t> 
operational  consequences,  95 
•safety  consequences,  94 
Ejection-seat  pyrotechnic  devices,  59,  191 
Electrical  and  electronic  items,  85,  158 
sir  also  high-frequency  communications 
subsystem 

Elevator-control-system  shafts,  28 
Engine,  sir  powerplants 
Engine  heavy  maintenance,  378 
Engineering  redesign,  see  product  improvement 
Environmental-control  system,  see  air-conditioning 
pack 

European  Maintenance  System  Guide,  5,  386 
Event-oriented  inspections,  284 
Event-oriented  system,  294 
see  also  information  systems 
Evidence  of  failure,  18-20 
functional  failures,  20,  163,  lo3,  201,  204,  356-357 
hidden  failures,  20-21,  63-64 
potential  failures,  19-20,  52-55 
Evident  failures,  21,  23.  26,  94 
determination  of,  87-89,  114,  150,  163,  224,  252 
Exhaust-gas  temperature  195-196,  213,  214 
Exponential  distribution,  412-413 
age-reliability  relationships  in  complex  items, 
46-48,  1 19 

establishing  failure-finding  inteival,  62 
prediction  of  reliability  improvement,  120 
special  uses  of,  417-419 

External  detectability,  as  damage-tolerant  design 
characteristic,  76,  239,  248 
effect  on  structural  ratings,  241,  242,  249 
designation  of  structurally  significant  items. 


249,  264-265 

External  structural  items,  239 

Fail-operational  design,  160 
Fail-safe  design,  159 
see  also  damage-tolerant  design 
Failure,  16,  17-20 
in  complex  items,  37-39,  45-48 
functional  failure,  18 
model  of  failure  process,  33-35 
multiple  failure,  28-31 
potential  failure,  19 
quantitative  descriptions  of,  39-s5 
in  simple  items,  31-33,  45-48 
verified  failures,  22-24,  125 
Failure  analysis,  301-307 
see  also  actuarial  analysis 

Failure  characteristics,  see  applicability  criteria  for 
maintenance  tasks 
Failure  data,  interpretation  of,  2<1 
Failure  effects,  163,  165,  201,  204,  356-357 
Failure-finding  tasks,  50,  61-64 
applicability  criteria,  62,  360 
characteristics  of,  66,  68-69 
effectiveness  criteria,  62-63,  96 
task  intervals,  61,  62-63,  169,  191,  312,  361 
Failure  modes,  37-38,  149,  163,  201,  356 
critical,  85-87,  198,  204,  205-211,  358 
dominant,  38,  48,  119,308-310 
relationship  to  age,  38-39 
with  unusually  high  repair  costs,  101,  126, 
308-310,  358 

Failure  modes  and  effects  analysis  (FMEA),  80 
Failure  process,  coping  with,  76-77 
generalized  model  of,  33-35 
Failure  rate,  40 

effect  of  product  improvement,  119 
effect  of  rework  task,  44-45,  48 
improvable,  119 

prediction  of  reliability  improvement,  120 
Failure-reporting  system,  see  operating  crew 
Failure  reports,  see  information  systems 
Failure  resistance,  see  resistance  to  failure 
Failure  substitution,  11,  27,  76 
Fatigue,  84,  231-235 

relationship  to  operating  age,  37,  48,  52  -53,  84, 
231-232,  234,  238,  274-275 
Fatigue  crack,  52-53,  231-232 
critical  length,  233,  248,  323 
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definition  as  potential  failure,  52,  210 
212-213,  242 

effect  on  structural  strength,  232 
inspection  intervals,  52-53,  106-107,  243-247 
propagation  characteristics,  106-107,  208,  232-233 
sec  also  crack  initiation,  crack-propagation  ratings 
atigue  damage,  effect  on  structural  strength, 
232-233 

repair  of,  230,  274,  321,  323 
see  also  external  detectability 
Fatigue  life,  232 
effect  of  corrosion,  84,  236 
effect  of  preload  condition,  235-236 
Fatigue-life  design  goal,  Douglas  DC-10  structure 
235,  247-248 

as  reference  for  relative  inspection  intervals, 
244-247 

as  reference  for  structural  ratings,  243-244 
Fatigue-life  ratings,  structurally  significant  item  \ 
241-243 

Fatigue-test  data,  see  test  data 
Federal  Aviation  Administration,  airvv  jrthiness 
directives,  135-136,  322-323 
analysis  and  surveillance  program,  154 
certification  procedures,  199,  231 
Maintenance  Review  Board,  8,  145,  372 
Fire-extinguishing  system,  22 
Fire-warning  system,  powerplant,  22,  190-191 
Fleet-leader  concept,  113,275 
Flight-control  system,  actuator  endcap,  161 
bearing  failure,  326-327 
Flight  cycles,  33-34 
Flight  log,  294-295 
Flight-log  monitoring,  301 
Forced  removals,  108 
Forced  samples,  225 
Fractional  sampling,  321 
Freon  compressor,  Douglas  DC-8,  378 
Fuel  pump,  Douglas  A-4,  12,  170-178 
Functional  failures,  18-19 
definition  of,  31-32,  87,  t49,  163,  201,  230,  356 
effect  of  level  of  item,  53,  61,  224,  255 
Functionally  significant  items,  85 
see  also  significant  items 
Functions,  evident  and  hidden,  21-22,  87 
of  item,  19,  31,  86-87,  161,  163,  201,  255,  355-357 
of  powerplant,  195,  205 
rarely  used,  283 

redundant,  7'.  158-160,  161-162,  195 


of  structure,  229-230,  252,  255 
of  systems,  159,  161,  163 

General  Electric  CF6-6  engine,  age-reliability 
characteristics,  124-125 
compressor  rear  frame,  12 
C-sump  problem,  313 
initial  inspection  requirements,  106-107 
General  inspections,  external  structure,  240,  283 
nonsignificant  structural  items,  240,  281,  282 
structurally  significant  items,  238 
walkaround  inspections,  73,  282 
zonal  inspections,  73,  277-281 
Generator  and  bus-tie  relay,  Douglas  DC-8,  310 
Generator,  Boeing  727,  126,  309-310 
Geriatric  aircraft,  118,  131,  155-156,  321-323,  325 
Gust  'oads,  231 

Hard-time  directory,  231 
Hard-time  maintenance  process,  65,  385 
Hard-time  policy,  2-6,  371-382 
changing  perceptions  of,  66,  376-382 
current  regulatory  usage,  65,  371-372 
hard-time  paradox,  371-376 
see  also  discard  tasks,  rework  tasks,  scheduled 
overhaul 

Hidden-failure  consequences,  28-31,  87-89,  96 
Hidden-function  items,  21 
identification  of,  81,  87,  97,  356 
Hidden  functions,  21-22,  61-64,  356 
regular  testing  by  operating  crew,  61,  283-284 
required  level  of  availability,  30-31,  62-63, 

1(  9,  361 

role  in  multiple  failures,  28-31,  81 
sec  also  failure-finding  tasks 
High-frequency  communications  subsystem, 

Boeing  747,  186-190 
High-lift  devices,  230 

Identification  and  routing  tag,  296-2°7 

Improvable  failure  rate,  119-120 

Imputed  cost  of  operational  consequences,  7,  27, 

95,  361 

In-flight  engine  shutdown  report,  301-302 
In-service  equipment,  RCM  programs  for,  137-138, 
343-347 

Infant  mortality,  45,  125-126 

Information  excluded  by  life-test  data,  394-395 

Information  flow,  153-157 


Information  problem,  prior-to-service  decisions, 
7-8,  78-79,  97-99,  144 
task  intervals,  324-325 
teardown  inspections,  6,  66,  305,  372-375 
InformaLon  requirements,  assessment  of  rework 
tasks,  44-45,  57-58,  91,  97-103,  359,  361, 

363,  390-391 

management  of  ongoing  program,  155,  293-297, 
367-368 

modification  of  initial  program,  114-115,  293, 
307-323 

product  improvement,  128-135 
RCM  analysis,  7-8,  78-79,  86-99,  144,  146,  149-151 
powerplant  items,  199-204 
structural  items,  247-252 
systems  items,  161-166 
sec  also  age  exploration,  RCM  analysis 
Information  systems,  135,  293-300 
Information  worksheet,  powerplant  items,  149-151, 
201-203 

structural  items,  248-251 
systems  items,  149-151,  163-165 
Inherent  reliability,  103 
Inherent  reliability  characteristics,  75-76, 

103-104,  114-115 

Initial  maintenance  program,  development  of, 
78-111,  147-152 

auditing  of  program  development,  350-369 
completion  of,  72-73,  109-110,  276-291 
organization  of  program-development  team, 
145-147,353 
see  also  RCM  analysis 
Inspectability,  140,  341 
Inspection,  see  failure-finding  tasks,  general 
inspections,  on-ronoition  tasks 
Inspection  findings,  as  basis  for  interval  extension, 
107-108,  121-123,  225-226,  306-307 
structural,  316,  318-319 
see  also  teardown  inspections 
Inspection  samples,  powerplant  items,  108,  225,  315 
structure,  108,  319-321 
see  also  time-extension  samples 
Inspection  technology,  126-128,  341-342 
Inspection,  structural,  see  structural  inspection 
plan 

Instrumentation,  see  cockpit  instrumentation 
Internal  engine  items,  195,  198-199,  225 
Internal  structural  items,  239,  252,  320-321 
external  detectability,  241,  248,  249 


Intervals,  see  age  intervals,  task  intervals 
Inventory  problems,  effect  of  rework  task,  325, 
417-419 

Isotope  inspection,  52,  71,  211 
Item,  81 

Item  description,  149,  163,  01,  248 
Items  that  cannot  benefit  from  scheduled 

maintenance,  70,  85,  158-159,  161,  168,  176-177 
see  also  nonsignificant  items 

Landing  gear,  actuator  endcap,  191-192,  311-312 
brake  assembly,  Douglas  DC-10,  178-186 
shock-strut  outer  cylinder,  Douglas  DC-10, 
267-273 

Letter  checks,  109-110,  284-289 
adjustment  of  intervals,  122-123 
LIBRA  (Logical  Information  of  Reliability 
Analysis),  382 
Life  of  item,  48,  415 
age  at  failure,  35-39,  47-48,  60,  393 
average  realized  life,  42-44 
conditional  probability  of  failure,  43-44, 

46-48,  398 
fatigue  life,  232 
probability  of  survival,  40-42 
Life  limit,  see  discard  tasks,  safe-life  limits 
Life  tests,  391-395 

Lightning  strikes,  see  e ccidental  damage 

Limit  loads,  structural,  231 

Line  maintenance,  13-14 

Load  requirements,  230-234 

Lockheed  1011,  386 

Log  sheet,  airplane  flight  log,  294-295 

Lubrication  tasks,  72-73,  283 

Magnetic-plug  inspection,  213 
Maintenance,  see  corrective  maintenance, 
scheduled  maintenance 
Maintenance  activities,  11-14,  71-75 
Maintenance  base,  13 
Maintenance  controller,  22 
Maintenance  cycle,  156 
Maintenance  information  system,  296 
see  also  information  systems 
Maintenance  packages,  108-110,  285-291 
partial  contents  for  Boeing  747,  288-289 
partial  contents  for  McDonnell  F4J,  290-291 
Maintenance  philosophy,  xvi-xx,  347-348 
Maintenance  plan,  11-14,  367 
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Maintenance  processes,  current  regulatory  usage, 
65-66,  385 

Maintenance  program,  see  scheduled-maintenance 
program 

Maintenance-redesign  cycle,  116-121,  312-313 
Maintenance  Review  Board,  8,  145,  372 
Maintenance  station,  13 

Maintenance  tasks,  see  scheduled-maintenance 
tasks 

Maintenance  technology,  126-128,  341-342 
Major  divisions  of  equipment,  81,  147-148 
powerplant,  194 
structure,  228-229 
systems,  158 

Major  structural  inspections,  249,  252 
comparison  of  policies,  6,  274-275 
role  in  age  exploration,  274-275,  319-321 
see  also  D check 

Management  of  the  ongoing  program,  153-156, 
293-299,367-368 

information  systems,  293-299,  368 
modifying  the  program,  121-128,  307-325 
purging  the  program,  328-329 
reacting  to  unanticipated  failures,  116-121 
resolving  differences  of  opinion,  325-327 
uses  of  operating  information,  113-116 
see  also  age  exploration 

McDonnell  F4J,  maintenance-package  contents, 
290-291 

MSG-2  review  of  program,  346-347 
zone  numbering  system,  378 
Mean  time  between  failures,  40,  340 
Military  applications,  34,  94,  113,  135,  170-178 
sec  also  Douglas  A-4,  McDonnell  F4J 
Minimum-equipment  list  (MEL),  163,  354,  358 
Mixed  population,  actuarial  analysis  of,  408-411 
Model  of  failure  process,  33-35 
Monolithic  elements,  dimage-tolerant,  234,  237 
MSG-1,  5,  344,  385-286 
MSG-2,  5,  343-347,  386 
Douglas  DC-10  structure  program,  257 
review  of  Boeing  727  systems  program, 

344-345 

review  of  McDonnell  F4J  program,  346-347 
Multiengine  aircraft,  consequences  of  engine 
failure,  195,  333-335 
see  also  powerplants 

Multiple  failures,  evaluation  of  consequences,  28, 
29-31,  311 


probability  of,  28-29 
role  of  hidden  functions,  28-31,  81 
Multiple-load-path  structural  assembly,  see  damage- 
tolerant  structural  items 

National  Transport  Safety  Board  statistics,  338-339 
No  scheduled  maintenance,  65,  166,  193 
as  default  decision,  77,  79,  97-98,  114 
nonsignificant  items,  80,  96,  158-161 
Nonoperational  consequences,  27-28,  30,  88-89, 

93,  142,  158-161,  358 
Non-RCM  tasks,  72-73,  277-284,  366 
event-oriented  inspections,  284 
general  external  inspections,  283 
servicing  and  lubrication  tasks,  72-73,  283 
testing  of  rarely  used  functions,  283 
walkaround  checks,  73,  282 
zonal  inspections,  73,  277-281 
Nonsignificant  items,  81,  85,  97,  142,  148,  158 
Normal  distribution,  412-415 
Nozzle  guide  vanes,  Pratt  & Whitney  JT3D  engine, 
202-204 

Pratt  & Whitney  JT8D-7  engine,  209 

Oil-screen  inspection,  71,  213 
On-aircraft  inspections,  see  on-condition  tasks 
On-condition  maintenance  process,  65,  345 
introduction  of,  383-385 
On-condition  tasks,  50-56 
applicability  criteria,  52,  66,  98 
characteristics  of,  65,  67,  68-69 
control  of  critical  failures,  116-117,  312-313,  388 
effectiveness  criteria,  52-53,  90-91,  98 
inspection  intervals,  52-53,  107,  192,  245-247, 
324-325 

on-aircraft  inspections,  71,  198,  341 

role  in  powerplant  programs,  106,  198-199, 

224,  226 

role  in  structure  programs,  108,  229,  255 
shop  inspections,  198 
see  also  powerplant  structures 
Operating  age,  see  age 

Operating  crew,  evident  and  hidden  failures,  21, 
61,  159,  163,  196,  357 
failure-reporting  system,  21,  22,  294-295 
frame  of  reference,  22-23,  63 
role  as  failure  observers,  13,  20-22 
testing  of  hidden-function  items,  61,  312 
Operating  environment,  effect  on  definition  of 


failure,  18 

effect  on  definition  of  consequences,  27,  135 
effect  on  task  intervals,  236,  237,  243,  247 
Operating  information,  uses  of,  113-115,  292-329 
Operating  reliability,  and  design,  75-76,  103-104, 
140-141 

and  safety,  2-3,  331-337,  340-341,  370 
see  also  operational  consequences 
Operating  restrictions,  coping  with  failures,  22, 
76-77,  118,  166,  333 
configuration-deviation  list,  163,  358 
control  of  gross  operating  weights,  195,  231 
minimum-equipment  list,  163,  354,  358 
Operating  safety,  and  design,  2-3,  11,  159-161, 
201,  230-237,  340-341,  388 
relationship  to  scheduled  maintenance,  2-3, 

331-  337,  370-371,  387-389 
see  also  hidden-failure  consequences,  safety 
consequences 

Operating  weight,  responsibilities  of  operating 
organization,  195,  231 
effect  on  level  of  operating  risk,  334-335, 
336-337 

Operational  consequences,  27,  30-31,  85,  88-89, 
308,  354,  358 

determination  of,  27,  149-150,  159-161,  163,  194, 
196,  201,  211-212,  213 
imputed  cost  of,  7,  27,  95,  135,  361 
Operational  performance  goals,  10,  234 
Operational  readiness,  135,  170 
Opportunity  samples,  108,  224,  225,  307,  312, 

314,  315 

see  also  age  exploration,  powerplants 
Overhaul,  see  rework  tasks,  scheduled  overhaul 

Packaging  of  maintenance  tasks,  109-110, 

284-291,  351-352,  367 
structural  inspe*  tion  program,  249 
Part-time  spares,  383 

Partitioning  of  equipment,  identification  of 
significant  items,  7,  81-83,  142,  149 
major  divisions  of  equipment,  81,  147-148 
Partitioning  of  premature-removal  data,  124-126, 
408-411 

see  also  actuarial  analysis 
100  percent  program,  structures,  320 
Potential  failure,  19 
definition  of,  19-20,  31-33,  53-55,  254 
effect  of  level  of  item,  53,  61 


preemption  of  functional  failures,  11,  27,  76,  226 
Powerplant  division,  147-148,  191 
Powerplants,  age  exploration  of,  106-107,  224-227, 
312-316 

analysis  of  basic  engine  function,  Pratt  & 
Whitney  JT8D-7,  205-217 
failures  caused  by  deterioration,  195-196, 
213-247 

fractures  with  critical  secondary  damage, 
205-211 

fractures  with  no  critical  secondary  damage, 
211-213 

analysis  of  secondary  engine  functions,  Pratt  & 
Whitney  JT8D-7,  217-224 
characteristics  of  powerplant  items,  85-86, 

195- 196 

first-stage  nozzle  guide  vanes,  Pratt  & Whitney 
JT3D,  202-204 
functions  of.  195,  205 
information  requirements,  199-204 
role  of  scheduled  maintenance,  331,  333-335 
Pratt  & Whitney  JT3D  engine,  engine-shutdown 
ra»e,  301-303 

first-stage  nozzle  guide  vanes,  202-204 
premature-removal  rate,  302 
Pratt  & Whitney  JT4  engine,  overhaul-interval 
history,  381 

Pratt  & Whitney  JT8D-7  engine,  age-reliability 
relationship,  42-45,  398-408 
history  of  reliability  improvement,  119,  226-227 
opportunity-sampling  program,  122,  314-315 
prediction  of  reliability  improvement,  120 
RCM  analysis  of,  205-224 
Pratt  & Whitney  R-2800  CA-15  engine,  age- 
reliability  relationship,  374-375 
Precautionary  removals,  24 
Preload  condition,  235-236 
Premature  removals,  24 
actuarial  analysis  of,  39-48,  57-58,  123-126, 
390-419 

systems  items,  Douglas  DC-8,  373 
Premature-removal  report,  298-299 
see  also  information  systems 
Preventive  maintenance,  11 

product  improvement  as,  75-77 
see  also  scheduled  maintenance 
Prior-to-service  program,  see  initial  maintenance 
program 

Probability,  dilemma  of  extreme  improbability, 


339-341 

of  survival,  40-42 

see  also  conditional  probability  of  failure 
Probability  density  of  failure,  42-43,  413,  414,  416 
Probability  distributions,  411—41** 
exponential,  412-413 
normal,  412-415 
VVtibull,  415 

Produc  t improvement,  73-77,  128-137 
detei  mining  desirability  of,  131-134,  323 
determining  need  for,  129-131 
information  requirements,  134-135 
maintenance-redesign  cycle,  116-121,  312-313 
role  in  equipment  development,  135-137,  348 
Program-development  team,  145-147,  353 
Pyrotechnic  devices,  59,  191 

Radiography  inspection,  52,  127 
Random  damage,  see  accidental  damage 
Rate  of  fleet  growth,  105,  123 
Rating  scales,  structurally  significant  items, 

241-244 

zonal  installation,  281 

RCM  analysis,  6-9,  78-80,  86-99,  141-144,  362-366 
air-conditioning  pack,  Douglas  DC-10,  164-170 
brake  assembly,  main  landing  gear,  Douglas 
DC-10,  178-186 

elevator  bearings,  flight-cor.trol  system,  Douglas 
DC-8,  326-327 

fuel  pump,  Douglas  A-4,  170-178 
high-frequency  communications  subsystem, 
Boeing  747,  186-190 

powerplant,  Pratt  & Whitney  JT8D,  205-224 
shock-strut  outer  cylinder,  Douglas  DC-10, 
252-256,  267-273 

spar  cap,  wing  rear  spar,  Douglas  DC-lo, 
252-256,  260-267 

wing-to-fuselage  attach  tee,  Douglas  DC-10, 
252-256,  258-260 

RCM  decision  diagram,  91-99,  358 
evaulation  of  failure  consequences,  86-89, 
357-358 

evaluation  of  proposed  tasks,  89-91,  359-361 
RCM  programs,  auditing  of  program  development, 
350-369 

applications  to  commercial  air'-aft,  140-157 
applications  to  other  equipment,  80,  140-141, 
341-342,  347-348 

development  of  initial  program,  78-111,  147-152 


history  of,  4-6,  370-387 
for  in-service  fleets,  137-138,  343-346 
management  of,  153-156,  293-299,  367-368 
organization  of  program-development  team, 
145-147,  353 

purging  the  program,  328-329 
Rear  spar  at  bulkhead  intersection, 

Douglas  DC-10,  12 

Reciprocating  engines,  10,  47,  374-375 
Redesign,  as  default  action,  92-93,  95,  96,  128-131, 
176-177 

economic  desirability,  131-135 
see  also  product  improvement 
Reduced  operating  capability,  see  operational 
consequences 

Reduced  resistance  to  failure,  32-37 
ability  to  measure,  19-20,  51-53,  104 
rate  of  reduction,  104,  106-107,  114-115 
Redundancy,  5,  11,  75,  140,  149,  159-160,  161-162, 
195,  201,  234,  249,  387 
see  also  damage-tolerant  structural  items, 
multiengine  aircraft 
Regulatory  usage,  65-66,  371-372,  385 
Reliability,  40 
ir>  iexes  of,  39-45 
inherent  reliability,  103 

Reliability-centered  maintenance,  1,  6-9,  141-144 
a maintenance  philosophy,  xvi-xx 
relationship  to  MSG-2,  vii-viii,  5-6,  385-387 
see  also  KCM  analysis,  RCM  programs 
Reliability  characteristics,  inherent,  75-77, 

103-105,  114-115 

Reliability  controlled  overhaul  program 
(RCOH),  382 

Reliability  data,  ranking  of,  293 
Reliability  problems  in  complex  equipment, 

9-11,  388 

Reliability  programs,  376-387 
Reliability-stress  analysis,  382 
Removals,  see  premature  removals,  scheduled 
removals 

Repair  costs,  see  economic  consequences 
Residual  strength,  effect  of  fatigue,  232-233 
Residual-strength  ratings,  damage-tolerant 
structural  elements,  233,  241-242,  321 
Resistance  to  failure,  32-37,  51-53,  84-85,  161, 

233,  364 

see  also  fatigue  life,  reduced  resistance  to  failure 
Resolving  differences  of  opinion,  325-329 


Rework  tasks,  50,  56-58 
applicability  criteria,  4,  57,  66,  71-72,  143, 
224-225,  359,  363 
characteristics  of,  65,  67,  68-69 
control  of  critical  failures,  51,  68,  360 
default  decision  in  initial  program,  45,  91, 

97-99,  144,  361 
effect  on  age  exploration,  225 
effect  on  failure  rate,  44-45,  48 
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effect  on  shop  workload,  57-58 
effectiveness  criteria,  57-58,  100-103,  360,  363 
task  intervals,  58,  102,  193,  22*  225,  359,  363 
see  also  scheduled  overhaul 
Risk  evaluation,  problem  of,  337-340 

Safe-life  design,  234 
Safe-life  discard  tasks,  see  discard  tasks 
Safe-life  items,  powerplants,  72,  118,  198,  209-210 
structure,  234-235,  237,  740,  242,  244-245, 
254-257,  267-273 
systems,  161,  311-312 
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Safety-alert  system,  135,  247 
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see  also  critical  failures 
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dilemma  of  extreme  improbability,  339-341 
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effect  of  structural  failures,  335-337 
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Scheduled-maintenance  requirements,  see 
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Scheduled-maintenance  tasks,  50-69 
discard  tasks,  58-61 
failure-finding  tasks,  61-64 
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Scheduled  overhaul,  16,  47-48,  56,  65,  66,  249-274 
changing  perceptions  of  overhaul  policy,  376-382 
current  regulatory  usage,  65,  371-372 
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Shop  maintenance,  13-14,  71-72 
Shop  workload,  effect  of  scheduled  removals, 
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Shotgun  troubleshooting,  23 
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identification  of,  80-83 
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Signature  of  failure  mode,  127 
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Spectrographic  oil  analysis,  71,  127 
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Statistical  reliability  reports,  135 
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100  percent  program,  320 
rating  factors,  240-243 
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321-322 

Structurally  significant  items,  84,  237-238,  240,  247 
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Structures,  age  exploration  of,  107,  273-275, 
315-323 

analysis  of  damage-tolerant  items,  252-254, 
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260-267 
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analysis  of  safe-life  items,  252-257 
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267-273 
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program,  384 
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Technological  change,  9-11,  115,  126-128 
Technologically  useful  life,  10,  131,  156 
see  also  geriatric  aircraft 
TERP  (Turbine  Engine  Reliability  Program), 

381,  382 

TETCP  (Turbine  Engine  Time  Control  Program), 
378,  381 

Test  data,  147,  199,  239 
fatigue  and  crack-propagation  tests,  232, 

234-235,  239,  243,  248,  256-257,  273 
safe-life  items,  59,  234-235,  248 
Test  and  Replace  as  Necessary  program 
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Time-extension  samples,  121,  296,  307,  378 
Tires,  blowout  as  secondary  damage,  182 
tread  wear  as  potential  failure,  31-33 
Training  of  program-development  team,  146, 
353-354 

Troubleshooting  methods,  23 
Turbine  blades,  23,  26,  71 
Turbine  engine,  see  powerplants 
Turbine  Engine  Reliability  Program  (TERP), 
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consequences 
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Walkaround  inspections,  73,  282 
Wearout  characteristics,  43-44,  47 
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Working  groups,  see  program-development 
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executive  summary 

reliability-centered 

maintenance 


EXECUTIVE  SUMMARY 


reliability-centered  maintenance 


j \ 


i t 

t » 

i i 


This  executive  summary  provides  an  introductory 
overview  of  the  book  Reliability-Centered  Maintenance. 
The  following  discussion  is  greatly  condensed  and 
is  intended  only  as  a brief  orientation  to  the 
general  subject  matter.  Those  interested  in  a more 
comprehensive  understanding  of  specific  points  are 
referred  to  the  book  for  a thorough  and  detailed 
development  of  the  topic. 
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In  1974  the  Office  of  the  Secretary  of  Defense,  U.S.  Department  of 
Defense,  directed  the  military  services  to  incorporate  United  States 
commercial  airline  practices  into  maintenance  programs  for  military 
equipment.  This  directive  has  been  reaffirmed  each  year.  Thus  far, 
however,  efforts  to  implement  it  have  been  har  pered  by  the  absence  of 
explanatory  material.  The  brief  working  papers  which  served  as  the 
basis  for  airline  maintenance  programs  were  originally  written  for  a 
small  group  of  readers  with  extensive  backgrounds  in  airline  mainte- 
nance, engineering,  and  reliability  analysis,  and  the  detailed  clarifica- 
tion necessary  for  those  in  other  fields  to  understand  airline  practices 
was  found  to  be  unavailable  in  the  published  literature.  To  provide  this 
information,  the  Department  of  Defense  commissioned  United  Airlines 
to  prepare  a textbook  that  fully  explains  a logical  discipline,  based  on 
tested  and  proven  airline  practices,  which  can  be  used  to  develop 
effective  scheduled-maintenance  programs  for  complex  equipment.  The 
resulting  book  is  titled  Reliability-Centered  Maintenance,  and  it  repre- 
sents the  present  state  of  the  art  in  the  field  of  preventive  maintenance. 

► THE  TRADITIONAL  APPROACH  TO 
PREVENTIVE  MAINTENANCE 

The  traditional  approach  to  scheduled-maintenance  programs  was  based 
on  the  concept  that  every  item  on  a piece  of  complex  equipment  has  a 
"right  age"  at  which  complete  overhaul  is  necessary  to  ensure  safety 
and  operating  reliability.  Through  the  years,  however,  it  was  discovered 
that  many  types  of  failures  could  not  be  prevented  or  elfectively  reduced 
by  such  maintenance  activities,  no  matter  how  intensively  they  were 
performed,  In  response  to  this  problem  airplane  designers  began  to 
develop  design  features  that  mitigated  failure  consequences  — that  is, 
they  learned  how  to  design  airplanes  that  were  "failure-tolerant." 

4 EXECUTIVE  SUMMARY  Practices  such  as  the  replication  of  system  functions,  th^  use  of  multiple 


4' 


engines,  and  the  design  of  damage-toierant  structures  greatly  weakened 
the  relationship  between  safety  and  reliability,  although  this  relation- 
ship has  not  been  eliminated  altogether. 

Nevertheless,  there  was  still  a question  concerning  the  relationship 
of  preventive  maintenance  to  reliability.  By  the  late  1950s  the  size  of  the 
commercial  airline  fleet  had  grown  to  the  point  at  which  there  were 
ample  data  for  study,  and  the  cost  of  maintenance  activities  had  become 
sufficiently  high  to  warrant  a searching  look  at  the  actual  results  of 
existing  practices.  At  the  same  time  the  Federal  Aviation  Agency,  which 
was  responsible  for  regulating  airline  maintenance  practices,  was  frus- 
trated by  experiences  showing  that  it  was  not  possible  to  control  the 
failure  rate  of  certain  unreliable  types  of  engines  by  any  feasible  changes 
in  either  the  content  or  frequency  of  scheduled  overhauls.  As  a result,  in 
1960  a task  force  was  formed,  consisting  of  representatives  from  both 
the  FAA  and  the  airlines,  to  investigate  the  capabilities  of  preventive 
maintenance. 

The  work  of  this  group  led  to  the  establishment  of  the  FAA/lndustry 
Reliability  Program,  described  in  the  introduction  to  the  authorizing 
document  as  follow:  :1 

The  development  of  this  program  is  towards  the  control  of  reliability 
through  an  analysis  of  the  factors  that  affect  reliability  and  provide 
a system  of  actions  to  improve  low  reliability  levels  when  they  exist. 
In  the  past,  a great  deal  of  emphasis  has  been  placed  on  the  control 
of  overhaul  periods  to  provide  a satisfactory  level  of  reliability.  After 
careful  study,  the  Committee  is  convinced  that  reliability  and  over- 
haul time  are  not  necessarily  directly  associated  topics;  therefore, 
these  subjects  arc  dealt  with  separately. 

This  approach  was  a direct  challenge  to  the  traditional  concept  that 
the  length  of  time  between  successive  overhauls  of  an  item  was  an 
important  factor  in  controlling  its  failure  rate.  The  task  force  developed 
a propuloion-system  reliability  program,  and  each  airline  involved  in 
the  task  force  was  then  authorized  to  develop  and  implement  reliability 
programs  in  the  area  of  maintenance  in  which  it  was  most  interested. 
During  this  process  a great  deal  was  learned  about  the  conditions  that 
must  exist  for  scheduled  maintenance  to  be  effective.  Two  discoveries 
were  especially  surprising: 

► Scheduled  overhaul  has  little  effect  on  the  overall  reliability  of  a 
complex  item  unless  the  item  has  a dominant  failure  mode. 

► There  are  many  items  for  which  there  is  no  effective  form  of 
scheduled  maintenance. 
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The  next  step  was  an  attempt  to  organize  what  had  been  learned  from 
the  various  reliability  programs  and  develop  a logical  and  generally 
applicable  approach  to  the  design  of  preventive-maintenance  programs. 
A rudimentary  decision-diagram  technique  was  devised  in  1965,  and  in 
June  1967  a paper  on  its  use  was  presented  at  the  AIAA  Commercial  Air- 
craft Design  and  Operations  Meeting.'1  Subsequent  refinements  of  this 
technique  were  embodied  in  a handbook  on  maintenance  evaluation 
and  program  development,  drafted  by  the  maintenance  steering  group 
formed  to  oversee  development  of  the  initial  program  for  the  new  Boeing 
747  airplane/1  This  document,  known  as  MSG-1,  was  used  by  special 
teams  of  industry  and  FAA  personnel  to  develop  the  first  scheduled- 
maintenance  program  based  on  the  principles  of  reliability-centered 
maintenance.  The  Boeing  747  maintenance  program  has  been  successful. 

Use  of  the  decision  diagram  technique  led  to  further  improvements, 
which  were  incorporated  two  years  later  in  a second  document,  MSG-2: 
Airline! Manufacturer  Maintenance  Program  Planning  Document ,4  MSG-2 
was  used  to  develop  the  scheduled-maintenance  programs  for  the  Lock- 
heed 1011  and  the  Douglas  DC-10  airplanes.  These  programs  have  also 
been  successful.  MSG-2  has  also  been  applied  to  tactical  military  aircraft; 
the  first  applications  were  for  aircraft  such  as  the  Lockheed  S-3  and  P-3 
and  the  McDonnell  F4J.  A similar  document  prepared  in  Europe  was 
the  basis  for  the  initial  programs  for  such  recent  aircraft  as  the  Airbus 
Industrie  A-300  and  the  Concorde. 

The  objective  of  the  techniques  outlined  in  MSG-1  and  MSG-2  was 
to  develop  a scheduled-maintenance  program  that  assured  the  maximum 
safety  and  reliability  of  which  the  equipment  was  capable  and  also  pro- 
vided them  at  the  lowest  cost.  As  an  example  of  the  economic  benefits 
achieved  with  this  approach,  under  traditional  maintenance  policies 
the  initial  program  for  the  Douglas  DC-8  airplane  required  scheduled 
overhaul  for  339  items,  in  contrast  to  seven  such  items  in  the  DC-10  pro- 
gram. One  of  the  items  no  longer  subject  to  overhaul  limits  in  the  later 
programs  was  the  turbine  propulsion  engine.  Elimination  of  scheduled 
overhauls  for  engines  not  only  led  to  major  reductions  in  labor  and 
materials  costs,  but  also  reduced  the  spare-engine  inventory  required  to 
cover  shop  maintenance  by  more  than  50  percent.  Since  engines  for  larger 
airplanes  now  cost  more  than  $1  million  each,  this  is  a respectable  saving. 

As  another  example,  under  the  MSG-1  program  for  the  Boeing  747 
United  Airlines  expended  only  66,000  manhours  on  major  structural 


inspections  before  reaching  a basic  interval  of  20,000  hours  for  the  first 
heavy  inspections  of  this  airplane,  Under  traditional  maintenance  pol- 
icies it  took  an  expenditure  of  more  than  4 million  manhours  ‘o  arrive  at 
the  same  structural  inspection  interval  for  the  smaller  and  less  complex 
Douglas  DC-8.  Cost  reductions  of  this  magnitude  are  of  obvious  impor- 
tance to  any  organization  responsible  for  maintaining  large  fleets  01 
complex  equipment.  More  important: 

► Such  cost  reductions  are  achieved  with  no  decrease  in  reliability. 

On  the  contrary,  a better  understanding  of  the  failure  process  in 
complex  equipment  has  actually  improved  reliability  by  making  it 
possible  to  direct  preventive  tasks  at  specific  evidence  of  potential 
failures. 

Although  the  MSG-1  and  MSG-2  documents  revolutionized  the 
procedures  followed  in  developing  maintenance  programs  for  transport 
aircraft,  their  application  to  other  types  of  equipment  was  limited  by 
their  brevity  and  specialized  focus.  In  addition,  the  formulation  of  certain 
concepts  was  incomplete,  For  example,  the  decision  logic  began  with 
an  evaluation  of  proposed  tasks,  rather  than  an  evaluation  of  the  faiiun 
consequences  that  determine  whether  they  are  needed,  and  if  so,  their 
actual  purpose.  The  problem  of  establishing  task  intervals  was  not 
addressed,  the  role  of  hidden-function  failures  was  unclear,  and  the 
treatment  of  structur.  naintenance  was  inadequate.  There  was  also  no 
guidance  on  the  use  of  operating  information  to  refine  or  modify  the 
initial  program  after  the  ’quipment  entered  service  or  the  information 
systems  needed  for  effective  management  of  the  ongoing  program.  All 
these  shortcomings,  as  well  as  the  need  to  clarify  many  of  the  underlying 
principles,  led  to  analytic  procedures  of  bioader  scope  and  crystalliza- 
tion of  the  logical  discipline  now  known  as  reliability-centered  mainte- 
nance. 

► BASIC  CONCEPTS  OF  RELIABILITY- 

I CENTERED  MAINTENANCE 

I A reliability-centered  maintenance  (RCM)  program  consists  of  a set  of 

L scheduled  tasks  generated  on  the  basis  of  specific  reliability  character- 

I istics  of  the  equipment  they  are  designed  to  protect,  Complex  equipment 

| is  composed  of  a vast  number  of  parts  and  assemblies,  All  these  items 

can  be  expected  to  fail  at  one  time  or  another,  but  some  of  the  failures 
! have  more  serious  consequences  than  others.  Certain  kinds  of  failures 

have  a direct  effect  on  operating  safety,  and  others  affect  the  operational  EXECUTIVE  summary  7 
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capability  of  the  equipment.  The  consequences  of  a particular  failure 
depend  on  the  design  of  the  item  and  the  equipment  in  which  it  is 
installed.  A1  though  the  environment  in  which  the  eq  uipment  is  operated 
is  sometimes  an  additional  factor,  the  impact  of  failures  on  the  equip- 
ment, and  hence  their  consequences  for  the  operating  organization,  are 
established  primarily  by  the  equipment  designer.  Failure  consequences 
are  therefore  a primary  inherent  reliability  characteristic. 

There  are  a great  many  items,  of  course,  whose  failure  has  no  signi- 
ficance at  the  equipment  level.  These  failures  are  tolerable,  in  the  sense 
that  the  cost  of  preventive  maintenance  would  outweigh  the  benefits  to 
be  derived  from  it.  It  is  less  expensive  to  leave  these  items  in  service 
until  they  fail  than  it  is  to  try  to  prevent  the  failures.  Most  such  failures 
are  evident  to  the  operating  crew  at  the  time  they  occur  and  are  reported 
to  the  maintenance  crew  for  corrective  action.  Some  items,  however, 
have  functions  whose  failure  will  not  be  evident  to  the  operating  crew. 
Although  the  loss  of  a hidden  function  has  no  direct  consequences,  any 
uncorrected  failure  exposes  the  equipment  to  the  consequences  of  a 
possible  multiple  failure  as  a result  of  some  later  second  failure.  For 
this  reason  items  with  hidden  functions  require  special  treatment  in  a 
scheduled-maintenance  program. 

The  first  step  in  the  development  of  a maintenance  program  is  to 
reduce  the  problem  of  analysis  to  manageable  size  by  a quick,  approxi- 
mate, but  conservative  identification  of  a set  of  significant  items—  those 
items  whose  failure  could  affect  operating  safety  or  have  major  economic 
consequences.  The  definition  of  major  economic  consequences  will  vary 
from  one  operating  organization  to  another,  but  in  most  cases  it  includes 
any  failure  that  impairs  the  operational  capability  of  the  equipment  or 
results  in  unusually  high  repair  costs.  At  the  same  time  all  items  with 
hidden  functions  must  be  identified,  since  they  will  be  subjected  to 
detailed  analysis  along  with  the  significant  items. 

The  analysis  itself  begins  with  an  evaluation  of  the  fadure  conse- 
quences for  each  type  of  failure  to  which  the  item  is  exposeu.  The  logic 
used  to  organize  this  problem,  shown  in  Exhibit  1,  leads  to  four  cate- 
gories of  failure  consequences: 


► 

Safety  consequences,  which  involve  possible  danger  to  the  equip- 
ment and  its  occupants 

► 

Operational  consequences,  which  involve  an  indirect  economic 
loss  in  addition  to  the  cost  of  repair 
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► 

Nonoperational  consequences,  which  involve  no  economic  loss 
other  than  the  cost  of  repair 
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Safety  Operational  consequences  Nonoperational  consequences  Hidden-failure 

consequences  (economic)  (economic)  consequences 

Impact  immediate Impact  delayed 


EXHIBIT  1 Decision  diagram  to  identify  significant  items  and 
hidder  functions  on  the  basis  of  failure  consequences.  Failures 
that  affect  safety  or  operating  capability  havi  an  immediate  impact, 
since  the  equipment  cannot  be  dispatched  until  they  have  been 
corrected.  The  impact  of  nonoperational  failures  and  hidden  tailures 
is  delayed  in  the  sense  that  correction  can  be  deferred  to  a convenient 
time  and  location. 


► Hidden-failure  consequences,  which  involve  exposure  of  the  equip- 
ment to  a multiple  failure  as  the  result  of  a later  failure  of  some 
other  item 

If  the  failure  is  one  that  could  have  a direct  effect  on  operating  safety, 
either  through  loss  of  an  essential  function  or  as  a result  of  critical  sec- 
ondary damage,  all  maintenance  work  that  is  likely  to  prevent  such  fail-  EXECUTIVE  SUMMARY  9 


ures  is  required,  and  if  maintenance  does  not  have  the  capability  to 
reduce  the  risk  of  failure  to  an  acceptable  level,  the  item  must  be  rede- 
signed. If  the  failure  is  one  that  will  not  be  evident  to  the  operating  crew, 
and  therefore  reported  and  corrected,  scheduled  maintenance  is  also 
required,  to  ensure  adequate  availability  of  the  hidden  function.  In  all 
other  cases  the  consequences  of  failure  are  economic,  and  the  desirability 
of  preventive  maintenance  can  be  evaluated  only  in  economic  terms. 
(One  notable  exception  is  the  case  of  certain  military  equipment  failures 
that  might  additionally  include  consideration  of  a critical  strategic  or 
tactical  impact  which  may  be  difficult  to  quantify  solely  in  economic 
terms.)  For  failures  that  do  not  involve  safety,  then,  the  criterion  of 
maintenance  effectiveness  is  cost  effectiveness;  the  cost  of  preventive 
tasks  must  be  less  than  the  cost  of  the  failures  they  prevent. 

► SELECTION  OF  MAINTENANCE  TASKS 

There  are  only  four  basic  types  of  preventive-maintenance  tasks,  each  of 
which  is  applicable  under  a specific  set  of  conditions: 

► Inspection  of  an  item  at  specified  intervals  to  find  and  correct 
potential  failures,  thereby  preempting  functional  failures 

► Rework  (overhaul)  of  an  item  at  or  before  some  specified  operating 
age  to  reduce  the  frequency  of  functional  failures 

► Discard  of  an  item  or  one  of  its  parts  at  or  before  some  specified 
life  limit  to  avoid  functional  failure  or  reduce  their  frequency 

► Inspection  of  a hidden-function  item  at  specified  intervals  to  find 
and  correct  functional  failures  that  have  already  occurred  but  were 
not  evident  to  the  operating  crew 

The  first  three  types  of  tasks  are  directed  at  preventing  single  failures, 
and  the  fourth  is  directed  at  preventing  multiple  failures.  Inspection 
tasks  can  generally  be  performed  without  removing  the  item  from  the 
equipment,  whereas  rework  and  discard  tasks  generally  require  that  the 
item  be  removed  and  sent  to  a major  maintenance  base. 

The  development  of  an  RCM  program  consists  of  determining  which 
of  -se  four  types  of  tasks,  if  any,  are  both  applicable  and  effective  for 
a given  item.  Thus  an  inspection  for  potential  failures  can  be  applicable 
only  if  the  item  has  reliability  characteristics  that  make  it  possible  to 
define  a potential-failure  condition.  Similarly,  an  age-limit  task  can  be 
applicable  only  if  the  failures  ai  which  it  is  directed  are  related  to  oper- 
10  EXECUTIVE  SUMMARY  atirtg  age.  Effectiveness  is  a measure  of  the  results  of  the  task;  the  cri- 
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f mon  for  these  results,  however,  depends  on  the  failure  consequences 
the  task  is  designed  to  prevent.  For  example,  a proposed  task  might 
appear  useful  if  it  promises  to  reduce  the  overall  failure  rate,  but  it  could 
not  be  considered  effective  if  the  failures  have  safety  consequences, 
since  the  objective  in  this  case  is  to  prevent  all  occurrences  of  a functional 
failure.  The  characteristics  of  the  basic  tasks,  their  relative  resolving 
power,  and  the  specific  applicability  criteria  for  each  one  are  described 
in  detail  in  the  text  Reliability-Centered  Maintenance.  All  these  factors 
result  in  a clear  order  of  task  perference,  making  it  possible  to  evaluate 
proposed  tasks  by  means  of  the  decision  logic  shown  in  Exhibit  2. 

EXHIBIT  2 Decision  diagram  to  evaluate  proposed  scheduled- 
mair.tenanre  tasks.  It  none  of  the  three  directly  preventive  tasks 
meets  the  criteria  for  applicability  and  effectiveness,  an  item  whose 
failures  are  evident  cannot  be  considered  to  benefit  from  scheduled 
maintenance.  If  the  item  has  a hidden  function,  the  default  action  is  a 
scheduled  failure-finding  task. 


Discard  No  scheduled 

task  maintenance 
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► TASK  INTERVALS:  AN  INFORMATION  PROBLEM 


With  the  techniques  of  RCM  analysis  it  is  fairly  simple  to  decide  what 
tasks  to  include  in  a scheduled-maintenance  program,  but  the  decision 
logic  does  not  cover  the  intervals  at  which  these  tasks  are  to  be  per- 
formed. Intervals  for  safe-life  discard  tasks  are  established  by  the  man- 
ufacturer on  the  basis  of  developmental  testing  and  are  usually  not 
expected  to  change.  The  applicability  of  other  age-limit  tasks  must  be 
determined  through  age  exploration  after  the  equipment  enters  service; 
hence  their  intervals  can  be  based  at  that  time  un  actual  operating  info- 
mation.  The  most  effective  tool  in  a scheduled-maintenance  program, 
however,  is  on-condition  inspection  for  potential  failures,  and  in  this 
case  there  is  usually  not  enough  information  to  set  minimum-cost 
intervals  even  after  the  equipment  is  in  service  and  age  exploration  is 
under  way. 

At  the  time  an  initial  program  is  developed,  the  available  infon  ’ 
tion  is  usually  limited  to  prior  experience  with  similar  items,  familiarity 
with  the  manufacturers  design  practices,  and  the  results  of  develop- 
mental and  fatigue  tests  for  the  new  equipment.  With  this  information 
it  is  possible  to  arrive  at  rough  estimates  of  the  ages  at  which  deteriora- 
tion can  be  expected  to  become  evident.  However,  the  inspection  inter- 
vals in  an  initial  program  are  then  set  at  only  a fraction  of  these  ages. 
The  fraction  may  be  quite  a small  one,  to  force  intensive  exploration 
of  aging  characteristics,  if  the  manufacturer  is  relatively  inexperienced, 
if  new  materials  or  manufacturing  methods  have  been  used,  or  if  the 
equipment  is  to  be  operated  in  an  unfamiliar  environment.  While  this 
initial  conservatism  increases  the  cost  of  inspection  on  the  first  pieces  of 
equipment  to  enter  service,  the  overall  economic  impact  is  small,  since 
the  intent  is  to  increase  the  intervals  on  the  basis  of  the  inspection 
findings  as  the  new  fleet  grows  in  size. 

The  principle  of  on-condition  inspections  is  that  the  time  to  the 
first  inspection  should  be  long  enough  for  the  first  evidence  of  deterio- 
ration to  be  visible,  and  the  intervals  for  repeat  inspections  should  be 
short  enough  to  ensure  that  any  unit  that  has  reached  the  potential- 
failure  stage  will  be  removed  from  service  before  a functional  failure 
occurs.  In  theory,  then,  the  problem  of  establishing  optimum  intervals 
should  merely  be  one  of  using  age  exploration  to  identify  the  actual  rate 
of  deterioration  and  potential-failure  age  of  each  item.  Often,  however, 
once  this  age  is  identified,  it  will  be  judged  undesirably  low  and  the 
item  will  be  redesigned  to  increase  its  longevity.  Consequently  the 
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"correct"  inspection  interval  for  any  item  may  apply  only  from  the  time 
its  original  reliability  characteristics  are  determined  until  the  time  the 
modified  item  goes  into  service.  While  the  dynamics  of  this  process  add 
new  age-exploration  requirements  throughout  the  life  of  the  equipment, 
they  also  reduce  the  growth  in  the  maintenance  workload  that  is  asso- 
ciated with  older  equipment. 


► THE  DESIGN-MAINTENANCE  PARTNERSHIP 

As  a result  of  continuing  interaction  between  design  and  maintenance 
organizations,  the  future  will  see  airplanes  and  other  complex  equip- 
ment that  can  be  more  effectively  maintained  and  achieve  still  higher 
levels  of  safety  and  reliability.  On  one  hand,  the  design  organization 
determines  the  inherent  characteristics  of  the  equipment,  including  the 
consequences  of  functional  failures  and  the  feasibility  and  cost  of  pre- 
venting them.  On  the  other  hand,  the  maintenance  organization  attempts 
to  realize  all  the  safety  and  reliability  of  which  the  equipment  is  capable. 

Achievement  of  this  goal,  however,  requires  a joint  effort  which  has  not 
always  been  recognized.  Designers  have  not  always  understood  both 
the  capabilities  and  the  limitations  of  scheduled  maintenance;  by  the 
same  token,  maintenance  organizations  have  not  always  had  a clear 
grasp  of  the  design  goals  for  the  equipment  they  maintain. The  need  for 
a close  partnership  has  always  existed,  but  the  comprehensive  analysis 
required  by  KCM  techniques  makes  this  need  far  more  apparent. 

During  the  development  of  a prior-to-service  program  the  identifi- 
cation of  functionally  and  structurally  significant  items  and  hidden  func- 
tions depends  on  the  designer's  information  on  failure  effects  as  well 
as  the  operator's  knowledge  of  their  consequences.  At  this  stage  the 
information  on  anticipated  failure  modes  must  also  come  from  the  de- 
signer. In  general,  on-condition  inspections  are  the  principal  mainte- 
nance weapon  against  functional  failures.  However,  it  must  be  possible 
to  use  them,  preferably  without  removing  items  from  the  equipment. 

Thus  the  designer  must  not  omy  help  to  define  the  physical  evidence 
that  makes  such  inspections  applicable,  but  must  also  be  sure  there  is 
some  access  to  the  item  to  be  inspected. 

Once  the  equipment  enters  service  there  will  be  a continual  flow 
of  information  on  the  condition  and  performance  af  each  item  under 
actual  operating  conditions.  This  information  is  ->eded  not  only  to 
refine  and  modify  the  maintenance  program,  but  alsc  o initiate  product 
improvement  for  those  items  whose  reliability  proves  to  be  inadequate. 

One  of  the  basic  functions  of  the  operator's  age-exploration  program  is  EXECUTIVE  SUMMARY  13 
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to  provide  the  designer  with  the  hardware  information  necessary  for 
product  improvement.  Certain  items  on  newly  designed  equipment 
frequently  have  a very  high  failure  rate  when  they  first  enter  service, 
and  this  interaction  between  design  and  maintenance  should  be  part  of 
the  normal  development  cycle  for  all  complex  equipment. 

The  designer's  help  is  of  more  immediate  importance  in  dealing 
with  serious  unanticipated  failures.  In  this  case  the  designer  must  help 
the  maintenance  organization  to  devise  interim  maintenance  tasks  that 
will  control  the  problem  until  design  changes  have  been  developed  and 
incorporated  in  the  operating  fleet.  The  two  organizations  must  work 
together  to  identify  the  failure  mechanism,  because  this  information  is 
required  for  the  development  of  interim  tasks  as  well  as  for  ultimate 
solution  of  the  problem  by  redesign. 


► Thus  the  key  both  to  effective  maintenance  and  to  greater  inherent 
reliability  is  a continuing  close  partnership,  with  both  design  and 
maintenance  organizations  familiar  with  and  sympathetic  to  each 
other's  problems,  go.. Is,  and  capabilities. 


EXPANSION  OF  RCM  APPLICATIONS 


EXECUTIVE  SUMMARY 


The  widespread  and  successful  application  of  RCM  principles  in  the 
air-transport  industry  has  important  implications  for  many  types  of 
complex  equipment  other  than  aircraft.  Mar  / of  the  current  problems 
with  rapid-transit  equipment,  fleets  of  ships  and  ground  vehicles,  and 
even  machinery  used  in  complex  manufacturing  processes  indicate  that 
the  relationship  between  design  and  maintenance  is  not  clearly  under- 
stood. In  many  instances,  however,  operating  organizations  themselves 
have  not  considered  the  real  capabilities  and  limitations  of  scheduled 
maintenance  and  have  been  frustrated  by  their  inability  to  solve  the 
problems  of  safety  and  operational  disruptions  caused  by  failures.  While 
no  form  of  preventive  maintenance  can  overcome  reliability  problems 
that  are  inherent  in  the  design  of  the  equipment,  RCM  analysis  does 
provide  a means  of  identifying  the  specific  maintenance  tasks  and 
product  improvements  that  will  alleviate  such  problems. 

In  general,  any  maintenance  support  program  based  on  RCM  prin- 
ciples has  the  following  objectives: 

► To  ensure  realization  of  the  inherent  safety  and  reliability  levels 
of  the  equipment 

► To  restore  the  equipment  to  these  inherent  levels  when  deteriora- 
tion occurs 
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► To  obtain  the  information  necessary  for  design  improvement  of 
those  items  whose  inherent  reliability  proves  inadequate 

► To  accomplish  these  goals  at  a minimum  total  cost,  including  main- 
tenance costs,  support  costs,  and  the  economic  consequences  of 
operational  failures 

One  obstacle  to  all  these  objectives  is  the  tendency  to  rely  on  traditional 
concepts  of  scheduled  maintenance,  especially  the  belief  that  scheduled 
overhauls  are  universally  applicable  to  complex  equipment.  Thus  an 
operating  organization  must  recognize  the  following  facts  before  it  is 
prepared  to  develop  and  implement  a detailed  RCM  program  for  its 
equipment: 

► The  design  features  of  the  equipment  establish  the  consequences 
of  any  functional  failure,  as  well  as  the  cost  of  preventing  it. 

► Redundancy  is  a powerful  design  tool  for  reducing  safety  conse- 
quences  to  economic  consequences  by  preventing  a complete  loss 
of  function  to  the  equipment. 

► Scheduled  maintenance  can  prevent  or  reduce  the  frequency  of 
functional  iailures  of  an  item,  but  it  cannot  alter  their  consequences. 

► Scheduled  maintenance  can  ensure  that  the  inherent  reliability  of 
each  item  is  realized,  but  it  cannot  alter  the  characteristics  of  the 
item. 

► There  is  no  "right  time"  for  scheduled  overhauls  that  will  solve 
reliability  problems  in  complex  equipment. 

► On-conditior  inspections, which  make  it  possib’e  to  preempt  fu ac- 
tional failures  by  potential  failures  are  the  most  effective  tool  of 
preventive  maintenance. 

► A scheduled-maintenance  program  must  be  dynamic;  any  prior-to- 
service  program  is  based  on  limi'*»d  information,  and  an  operating 
organization  must  be  prepared  to  collect  and  respond  to  real  data 

iroughout  the  service  life  of  the  equipment. 

► Product  improvement  is  a normal  part  of  the  development  cycle 
for  ■><!  new  equipment. 

Once  an  operating  organization  is  comfortable  with  these  facts,  it 
is  r<  to  proceed  confidently  with  the  detailed  development  of  an 
RCM  program.  The  resulting  program  will  include  all  the  scheduled 
tasks  necessary  or  desirable  to  protect  the  equipment,  and  because  it 


includes  only  the  tasks  that  will  accomplish  this  goal,  this  program  can 
provide  major  economic  benefits.  More  important,  by  directing  both 
scheduled  tasks  and  intensive  age  exploration  at  those  items  which  are 
truly  significant  at  the  equipment  level,  the  ultimate  result  will  be 
equipment  with  a degree  of  inherent  reliability  that  is  consistent  with 
the  state  of  the  ait  and  the  capabilities  of  maintenance  technology. 

► CONCLUDING  REMARKS 

The  book  Reliability-Centered  Maintenance  is  the  first  full  discussion 
of  a decision-diagram  technique  that  applies  a straightforward  logic 
to  the  development  of  scheduled-maintenance  ~rams  for  complex 
equipment.  The  net  result  of  this  analytic  tool  is  a structured,  systematic 
blend  of  experience,  judgment,  and  specific  information  to  determine 
which  maintenance  tasks,  if  any,  are  both  applicable  and  effective  for 
those  items  whose  failure  has  significant  consequences  for  the  equip- 
ment in  which  they  are  installed.  Part  One  of  the  book  explains  the  basic 
concepts  and  principles  underlying  RCM  theory,  and  Part  Two  illustrates 
actual  hardware  analyses,  with  examples  drawn  from  aircraft  systems, 
powerplants,  and  structures.  The  problem  of  packaging  maintenance 
tasks  for  implementation,  the  information  systems  needed  for  effective 
management  of  the  ongoing  program,  and  the  uses  of  operating  data  as 
part  of  a continuing  dynamic  process  are  also  addressed  in  detail. 
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